p.o.d logo


 Alexander Færøy
 Anders Ossowicki
 Andreas Bach Aaen
 Anton Berezin
 Bryan Østergaard
 Carsten Pedersen
 Christian Jørgensen
 Christian Sejersen
 Christina Rudkjøbing
 Dan Leinir Turthra Jensen
 David Zeuthen
 Erwin Lansing
 Flemming Jacobsen
 Frederik S. Olesen
 Georg Sluyterman
 Henrik Brix Andersen
 Henrik Lund Kramshøj
 Henrik Tudborg
 Jesper Dangaard Brouer
 Jesper Jarlskov
 Jesper Krogh
 Jesper Louis Andersen
 Jesper Nyerup
 Josef Assad
 Kenneth Christiansen
 Kenneth Geisshirt
 Klavs Klavsen
 Kristian Høgsberg
 Kristian Nielsen
 Lars Knudsen
 Lars Sommer
 Lars Sommer
 Leif Lodahl
 Mads Toftum
 Martin Hansen
 Martin Pihl
 Martin Schlander
 Martin von Haller Grønbæk
 Martin von Haller Grønbæk
 Niels Kjøller Hansen
 Nikolaj Hald Nielsen
 Peter Hansteen
 Peter Larsen
 Peter Makholm
 Peter Rude
 Peter Toft
 Phil Regnauld
 Poul-Henning Kamp
 Sune Kloppenborg Jeppesen
 Sune Vuorela
 Søren Bredlund Caspersen
 Søren Hansen
 Søren Hansen
 Søren Sandmann
 Søren Straarup
 Thilo Bangert
 Thomas Alexander Frederiksen
 Thomas H.P. Andersen
 Thor Dekov Buur

Sidst opdateret:
July 24, 2014, 06:21 UTC

Dette er folks egne meninger og har ikke nødvendigvis nogen forbindelse til hvad danske opensource-foreninger mener.

Kom på:
Kontakt planet@opensource.dk hvis du føler du vil være her.

Inkluder venligst URL for det feed du ønsker optaget, samt en redegørelse for opfyldelsen af nedenstående krav.

  • Du er aktivt involveret i free/open source software (udvikling, foreninger e.l.)
  • Du skriver på skandinavisk og/eller på engelsk
  • Du har en tilknytning til skandinavien
  • Du skriver en gang i mellem om noget relevant for free/open source software-verdenen

Powered by:
July 16, 2014

Baptiste Daroussin started the session with a status update on package building. All packages are now built with poudriere. The FreeBSD Foundation sponsored some large machines on which it takes around 16 hours to build a full tree. Each Wednesday at 01:00UTC the tree is snapshot and an incremental build is started for all supported released, the 2 stable branches (9 and 10) and quarterly branches for 9.x-RELEASE and 10.x-RELEASE. The catalogue is signed on a dedicated signing machine before upload. Packages can be downloaded from 4 mirrors (us-west, us-east, UK, and Russia) and feedback so far has been very positive.

He went on to note that ports people need better coordination with src people on ABI breakage. We currently only support i386 and amd64, with future plans for ARM and a MIPS variant. Distfiles are not currently mirrored (since fixed), and while it has seen no progress, it’s still a good idea to build a pkg of the ports tree itself.

pkg 1.3 will include a new solver, which will help 'pkg upgrade' understand that an old packages needs to be replaced with a newer one, with no more need for 'pkg set' and other chicanery. Cross building ports has been added to the ports tree, but is waiting for pkg-1.3. All the dangerous operations in pkg have now been sandboxed as well.

EOL for pkg_tools has been set for September 1st. An errata notice has gone out that adds a default pkg.conf and keys to all supported branches, and nagging delays have been added to ports.

Quarterly branches based on 3 month support cycle has been started on an evaluation basis. We’re still unsure about the manpower needed to maintain those. Every quarter a snapshot of the tree is created and only security fixed, build and runtime fixed, and upgrades to pkg are allowed to be committed to it. Using the MFH tag in a commit message will automatically send an approval request to portmgr and an mfh script on Tools/ makes it easy to do the merge.

Experience so far has been good, some minor issues to the insufficient testing. MFHs should only contain the above mentioned fixes; cleanups and other improvements should be done in separate commits only to HEAD. A policy needs to be written and announced about this. Do we want to automatically merge VuXML commits, or just remove VuXML from the branch and only use the one in HEAD?

A large number of new infrastructure changes have been introduces over the past few months, some of which require a huge migration of all ports. To speed these changes up, a new policy was set to allow some specific fixes to be committed without maintainer approval. Experience so far has been good, things actually are being fixed faster than before and not many maintainers have complained. There was agreement that the list of fixes allowed to be committed without explicit approval should be a specific whitelist published by portmgr, and not made too broad in scope.

Erwin Lansing quickly measured the temperature of the room on changing the default protocol for fetching distils from MASTER_SITE_BACKUP from ftp to http. Agreement all around and erwin committed the change.

Ben Kaduk gave an introduction and update on MIT’s Athena Environment with some food for thought. While currently not FreeBSD based, he would like to see it become so. Based on debian/ubuntu and rolled out on hundreds of machines, it now has it’s software split into about 150 different packages and metapackages.

Dag-Erling Smørgrav discussed changes to how dependencies are handled, especially splitting dependencies that are needed at install time (or staging time) and those needed at run time. This may break several things, but pkg-1.3 will come with better dependency tracking solving part of the problem.

Ed Maste presented the idea of “package transparency”, loosely based on Google’s Certificate Transparency. By logging certificate issuance to a log server, which can be publicly checked, domain owners can search for certificates issued for their domains, and notice when a certificate is issued without their authority. Can this model be extended to packages? Mostly useful for individually signed packages, while we currently only sign the catalogue. Can we do this with the current infrastructure?

Stacy Son gave an update on Qemu user mode, which is now working with Qemu 2.0.0. Both static and dynamic binaries are supported, though only a handful of system call are supported.

Baptiste introduced the idea of having pre-/post-install scripts be a library of services, like Casper, for common actions. This reduces the ability of maintainers to perform arbitrary actions and can be sandboxed easily. This would be a huge security improvement and could also enhance performance.

Cross building is coming along quite well and most of the tree should be able to be build by a simple 'make package'. Major blockers include perl and python.

Bryan Drewery talked about a design for a PortsCI system. The idea is that committer easily can schedule a build, be it an exp-run, reference, QAT, or other, either via a web interface or something similar to a pull request, which can fire off a build.

Steve Wills talked about using Jenkins for ports. The current system polls SVN for commits and batches several changes together for a build. It uses 8 bhyve VMs instances, but is slow. Sean Bruno commented that there are several package building clusters right now, can they be unified? Also how much hardware would be needed to speed up Jenkins? We could duse Jenkins as a fronted for the system Bryan just talked about. Also, it should be able to integrate with phabricator.

Erwin opened up the floor to talk about freebsd-version(1) once more. It was introduced as a mechanism to find out the version of user land currently running as uname -r only represents the kernel version, and would thus miss updates of the base system that do no touch the kernel. Unfortunately, freebsd-version(1) cannot really be used like this in all cases, it may work for freebsd-update, but not in general. No real solution was found this time either.

The session ended with a discussion about packaging the base system. It’s a target for FreeBSD 11, but lots of questions are still to be answered. What granularity to use? What should be packages into how many packages? How to handle options? Where do we put the metadata for this? How do upgrades work? How to replace shared libraries in multiuser mode? This part also included the quote of the day: “Our buildsystem is not a paragon of configurability, but a bunch of hacks that annoyed people the most.”

Thanks to all who participated in the working group, and thanks again to DK Hostmaster for sponsoring my trip to BSDCan this year, and see you at the Ports and Packages WG meet up at EuroBSDCon in Sofia in September.

Leave a comment

The DNS Working Group at the FreeBSD Developer Summit at BSDCan this year was off to a good start by noticing that DNSSEC validation could not work on the University of Ottawa’s wireless network. The university’s resolvers added additional records to the root zone, thus failing validation at the root. This led to some discussion on how to provide a user-friendly way to explain this in an understandable way to the user and giver the user a choice of turning off validation or find another network. This certainly is going to be a major problem when turning on validation by default as broken resolvers are very common at hotels, coffee shops, etc. etc.

On a more positive note, all the FreeBSD projects zones are DNSSEC signed and all project-owned servers have SSHFP records in the zone. Dog food was eaten.

Dag-Erling Smørgrav started off by giving an overview of the current state of affairs. ldns and unbound are imported into base in HEAD and 10.x. unbound is meant to act as a local resolver only and as it is not linked to libevent, it will not scale to anything else. For a network-wide resolver or any other configuration, it is recommended to install unbound from ports. DES further went into some of the implementation details on how the base unbound is installed to make sure it does not conflict with an unbound installed from ports.

DES explained some issues he encountered with local and RFC1918 zones which are filtered by default by unbound. Others reported no issues with the right configuration options, so more investigation is needed.

Some people reported having difficulty getting patches accepted upstream by NLNetLabs, which gave some cause for concern as we clearly want a good and active working relationship with our DNS vendor. Others reported no problem working with NLNetLabs, quite the opposite, they are very interested to see the work going on in operation systems, so we’ll just need to build upon that relationship and make sure to invite them to the next WG meeting. Patches that are currently being worked on, DES has some code cleanups, Björn a DNS64 feature, should be submitted through the “normal” submission process and review with NLNetLabs and we’ll see how that goes.

Erwin Lansing started the brainstorm session on future work. Some command line tools would be nice to have; drill does most things one wants, but people are too used to writing dig and dig has many more options; Peter Wemm would like to see contrib scripts line ldns-dane, which are just really easy to use; the control socket should be a unix socket, there’s a patch floating around and should be submitted upstream.

The “Starbucks” problem came up again, with a proposal to turn on val-permissive-mode by default. Another solution may be by looking at how unbound-trigger does its magic.

After a coffee break, Peter Losher, ISC, went over some of the recent changes at ISC. BIND10 development has been handed over to a new project and ISC will concentrate on BIND9 and a stand-alone project for the DHCP component. BIND 9.10 was recently released and plans are in place for 9.11. ISC is open to suggestions and feature requests.

Peter brought up the topic of clientID for which a IETF draft (draft-edns0-client-subnet) is available. This would help client find the nearest CDN node, etc. ISC wants this to be an opt-out in operating systems as it will peel off a layer of anonymisation, and should be controllable by the user.

Next up was Michael Bentkofsky, Verisign, who, while not involved in the project himself, gave an introduction into the getDNS API, which is a replacement for getaddrinfo and allows the stub resolver to get validation information down at the client level. It’s available in ports. The discussion went into more of a brainstorm on how applications should get DNS and DNSSEC information and who gets to make decisions about its security. There should be a clear separation between policy and mechanism, where application programmers should not have to worry about this; it should be a system policy. There should be a higher level API where an application basically can ask the operating system for a “connection” and the operation system takes care of everything behind the scenes, DNS, DNSSEC, SSL, DANE, etc. and just return a socket, with some information on how the connection was established and which security mechanisms were used. In FreeBSD, it would make sense to let the Casper daemon hand out the different sub-tasks to ensure all lookups, cryptography, etc. are properly compartmentalised. One potential problem with passing on additional information is that all DNS lookups currently go through nsswitch, which would need to grow knowledge about that data as well. Are people still using other mechanisms for hostname lookups besides the hosts file and DNS? We can probably just remove nsswitch for the hostname lookups.

The session ended with some aims for the 11.0 release. We’ll need to have a wider discussion about the aforementioned removal of nsswitch out of the hostname lookups. We’ll also need a better understanding of what API capabilities applications may need. Can Casper provide all these? Can it run unbound behind the scenes to do all the DNS “stuff” for it? Can we capsicumize unbound and will that be accepted upstream? Enough food for thought and even more for writing code.

Thanks again to DK Hostmaster for sponsoring my trip to BSDCan this year, and see you at the DNS WG meet up at EuroBSDCon in Sofia in September.

Leave a comment

Elasticsearch graphs (July 16, 2014, 07:35 UTC)

After having worked with Elasticsearch and thrown quite a lot of data at it (we add about 100 million documents a day), I have built a very nice set of graphs, that helps me visualize problems and activity in the cluster, and figured I'd share them to hopefully give some inspiration :)

p.s. the jvm_heap_usage graphs - the two lines which are very jumpy, are the ones I switched to using G1 Garbage Collector, which does seem to be of help when you're running close to your heap limit :) 

p.s. view image alone, to see it in full size.

read more

Leave a comment

July 15, 2014
Datafællesskabet data.coop (July 15, 2014, 11:52 UTC)

For tre uger side, tirsdag d. 24. juni, afholdtes stiftende generalforsamling i data.coop.

Foreningens formål er ifølge vedtægterne:


Foreningen data.coop ønsker at stille digital infrastruktur til rådighed for sine medlemmer, på en måde hvor foreningens kerneprincipper — privatlivsbeskyttelse, kryptering, decentralisering og zero-knowledge for foreningen som tjenesteudbyder — er i fokus. Ydermere vil foreningen advokere for sine kerneprincipper, hjælpe folk til at at agere på nettet på forsvarlig vis, samt samarbejde med andre datafællesskaber/hjælpe andre i gang med lign. foreninger.

Motivationen for stiftelse af foreningens formuleres nok bedst af Mikkel her: https://www.detfalskested.dk/2014/06/18/indkaldelse-til-stiftende-generalforsamling-for-datafaellesskab/

Efter en længere process på den stiftende generalforsamling med småændringer til et sæt standardvedtægter blev disse endelig godkendt, og der blev valgt en bestyrelse (og yours truly fik tilranet sig en plads).



…hvad så nu?

Lige nu er der vist gået sommer(ferie) i den.

Men på et tidspunkt skal der selvfølgelig gang i det praktiske datafællesskab. Første trin er vist en fornuftig e-mail løsning. Hvad der derefter komme af data-hosting, Dropbox alternativ eller lignende må tiden vise.
Hvilke konkret tekniske løsninger der skal benyttes, hvor data skal hostes osv. vil jeg slet ikke forholde mig til, men det er min oplevelse at der er blevet tænkt en del over dette af folk med mere teknisk indsigt end jeg.

Bestyrelsen skal nok også afholde et møde, forholde sig til eventuel økonomi og lignende.

Der bør nok også oprettes en hjemmeside, med mere udførlig kontakt-info, mail-lister osv. Det arbejde er vist også så småt sat i gang.

Hvis du har lyst til at være med er det letteste nok at holde øje med hjemmesiden data.coop, hvor der sikkert dukker yderligere info op i den nærmeste fremtid. Alternativt kan du forsøge at at kontakte (medlemmer af) bestyrelsen.

Image by: Bob Mical

July 09, 2014
Sune Vuorela a.k.a. pusling
CMake and library properties (July 09, 2014, 06:30 UTC)
Sune Vuorela

When writing libraries with CMake, you need to set a couple of properties, especially the VERSION and SOVERSION properties. For library libbar, it could look like:

set_property(TARGET bar PROPERTY VERSION “0.0.0″)
set_property(TARGET bar PROPERTY SOVERSION 0 )

This will give you a libbar.so => libbar.so.0 => libbar.so.0.0.0 symlink chain with a SONAME of libbar.so.0 encoded into the library.

The SOVERSION target property controls the number in the middle part of the symlink chain as well as the numeric part of the SONAME encoded into the library. The VERSION target property controls the last part of the last element of the symlink chain

This also means that the first part of VERSION should match what you put in SOVERSION to avoid surprises for others and for the future you.

Both these properties control “Technical parts” and should be looked at from a technical perspective. They should not be used for the ‘version of the software’, but purely for the technical versioning of the library.

In the kdeexamples git repository, it is handled like this:


And a bit later:

set_target_properties(bar PROPERTIES VERSION ${BAR_VERSION}

which is a fine way to ensure that things actually matches.

Oh. And these components is not something that should be inherited from other external projects.

So people, please be careful to use these correct.

Leave a comment

July 03, 2014
Poul-Henning Kamp a.k.a. phk
Og jeg gentager: (July 03, 2014, 10:27 UTC)
Poul-Henning Kamp Nej, jeg er faktisk så træt af at gentage mig selv at jeg ikke gør det. Kan I ikke bare finde nogen af mine tidligere brok om IT havarikommission og om hvorfor mainframe-miljøer er en sikkerhedstrussel i arkivet ? Og ja, jeg synes det er i særklasse ironisk at det er netop de borgere der har gj...

Leave a comment

July 02, 2014
Peter Toft a.k.a. pto
Peter Toft Jeg modtager - sikkert ligesom jer - et hav af emails, der prøver at franarre mig penge. I dag fik jeg en, jeg var "tættere" på at tro på. Personen - vi kan kalde ham Kim - er en bekendt, som sagtens kunne tænkes at være den rigtige afsender. I dette tilfælde kontaktede jeg personen, som kunne b...

Leave a comment

The calculations: 10Gbit/s wirespeed (July 02, 2014, 10:18 UTC)
In this blogpost, I'll try to make you understand the engineering challenge behind processing 10Gbit/s wirespeed, at the smallest Ethernet packet size.

The peak packet rate is 14.88 Mpps (million packets per sec) uni-directional on 10Gbit/s with the smallest frame size.

Details: What is the smalles Ethernet frame
Ethernet frame overhead:

Thus, the minimim size Ethernet frame is: 84 bytes (20 + 64)

Max 1500 bytes MTU Ethernetframe size is: 1538 bytes (calc: (12+8) + (14) + 1500 + (4) = 1538 bytes)

Packet rate calculations

Peak packet rate calculated as:  (10*10^9) bits/sec / (84 bytes * 8) = 14,880,952 pps
1500 MTU packet rate calculated as: (10*10^9) bits/sec / (1538 bytes * 8) = 812,744 pps

Time budget
This is the important part to wrap-your-head around.

With 14.88 Mpps the time budget for processing a single packet is:

  • 67.2 ns (nanosecond) (calc as: 1/14880952*10^9 ns)

This corrospond to approx: 201 CPU cycles on a 3GHz CPU (assuming only one instruction per cycle, disregarding superscalar/pipelined CPUs). Only having 201 clock-cycles processing time per packet is very little.

Relate these numbers to something
This 67.2ns number is hard to use for anything, if we cannot relate this to some other time measurements.

A single cache-miss takes: 32 ns (measured on a E5-2650 CPU). Thus, with just two cache-misses (2x32=64ns), almost the total 67.2 ns budget is gone. The Linux skb (sk_buff) is 4 cache-lines (on 64-bit), and the kernel e.g. insists on writing zeros to these cache-lines, during allocation of an skb.

We might not "suffer" a full cache-miss, sometimes the memory is available in L2 or L3 cache.  Thus, it is useful to know these time measurements.  Measured on my E5-2630 CPU (with lmbench command "lat_mem_rd 1024 128"), L2 access costs 4.3ns, and L3 access costs 7.9ns.

The "LOCK" operation
Assembler instructions can be prefixed with a "LOCK" operation, which means that they perform an atomic operation. This is uses every time e.g. a spinlock is locked or unlocked, cmpxchg and atomic_inc (some operations are even implicitly LOCK prefixed, like xchg).

I've measured the cost of this atomic "LOCK" operation to be 8.25ns on my CPU (with this program). Even for the completely optimal situation of a spinlock only being touch by one CPU, we have two LOCK calls which costs 16.5ns.

System call overhead
A FreeBSD case study of sendto(), in Luigi Rizzo netmap paper, shows that the cost of only the system call is 96ns, which is above the 67.2 ns budget.  The total overhead of sendto() were 950 ns.  These 950ns corrospond to 1,052,631 pps (calc as 1/(950/10^9)).
On Linux I measured the system call getuid(2), to take 87.77 ns and 201 CPU-cycles (TSC measurement) (the CPU efficiency were 1.42 insns per cycle, measured with perf stat). Thus, the syscall itself eats up the entire budget.

  • Update: Most of the syscall overhead comes from kernel option CONFIG_AUDITSYSCALL, without it, the syscall overhead drops to 41.85 ns.

How to overcome this syscall problem?  We can amortize the cost, by sending several packets in a single syscall.  It is not very well known, but we actually already have a syscall to send several packets with a single syscall, called "sendmmsg(2)". Notice the extra "m" (and the corresponding receive version "recvmmsg(2)"). Not many examples exists on the Internet for using these syscalls. Thus, I've provided some example code here for sendmmsg and recvmmsg.

RAW socket speeds
Daniel Borkmann and I recently optimized AF_PACKET, to scale to several CPUs (trafgen, kernel qdisc bypass and trafgen use qdisc bypass). But let us look at the performance numbers for only a single CPU:

  • Qdisc path = 1,226,776 pps => 815 ns per packet (calc: 1/pps*10^9)
  • Qdisc bypass = 1,382,075 pps => 723 ns per packet (calc: 1/pps*10^9)

This is also interesting, because this show us the cost of the qdisc code path, which costs 92 ns.  In this 10Gbit/s context it is fairly large, e.g. corresponding to almost 3 cache-line misses (92/32=2.9).

Poul-Henning Kamp a.k.a. phk
Gettys principper (July 02, 2014, 08:18 UTC)
Poul-Henning Kamp Jeg sider og prøver at stoppe noget sund fornuft ind i HTTP/2.0 standardiseringsprocessen. Det er hårdt arbejde som ville være nemmere hvis flere mennesker kendte og respekterede "Gettys Regler" For rigtig mange år siden formulerede Jim Gettys nogle grundprincipper for X11 udviklingen, som desv...

Leave a comment

June 29, 2014
Martin Schlander a.k.a. cb400f
Jolla and KDE Connect (June 29, 2014, 16:08 UTC)
Martin Schlander

KDE Connect

KDE Connect is a piece of software that integrates your KDE desktop with Android devices. It enables you to share the clipboard, share files, use your Android device as a mousepad or remote control for MPRIS enabled media players on your desktop, have a battery indicator for your Android device on your desktop and more. Even more features are planned. All this is done over wifi.


Jolla is of course the coolest smartphone on the market, it runs SailfishOS, but it comes with an Android runtime (Alien Dalvik) which lets you run most Android apps perfectly fine on the Jolla.

KDE Connect on the Jolla

So I had to see if KDE Connect would work with the Jolla, and at least some of the main features work perfectly. I can now use my Jolla as a wireless mousepad for my KDE desktops, and I can use my Jolla as a remote control for e.g. Amarok. I can also work with the filesystem in the Dolphin file manager, but only the Android runtime folders of the Jolla filesystem are exposed to KDE this way.

Quite a few of the features don’t seem to work – notifications, battery indicator, sending files via the Dolphin context menu (right click) and clipboard sharing.

Media Player Remote Control


How to set it up

1) Install KDE Connect on your desktop (on openSUSE install the package ‘kdeconnect-kde’ from the KDE:Extra repository. Also install ‘sshfs’ if you want to be able to mount the Android folders on the Jolla in Dolphin.

2) Install KDE Connect on your Jolla (personally I installed the binaries from the F-Droid app store, but binaries are also available in Google Play and 1MobileMarket).

3) Connect your Jolla to the wifi of the same network as your desktop computer and make sure you don’t have a firewall running (or allow traffic for the range of ports 1714-1764 for both TCP and UDP).

4) Launch the KDE Connect app on the Jolla and go to KDE ‘systemsettings’ -> KDE Connect and pair your phone with the desktop.

June 27, 2014
Poul-Henning Kamp a.k.a. phk
Historiske IT success/katastrofer (June 27, 2014, 07:07 UTC)
Poul-Henning Kamp Der existerer en konference for historisk IT i de nordiske lande, "HiNC" og den når til Danmark d. 13-15 august. Det er ret fantastisk hvor vidt omkring programmet kommer, fra megasuccessen CPR over "APL i de nordiske lande" til gigantfiaskoen EPJ. Jeg er godt klar over at det ikke er alle der ...

Leave a comment

June 25, 2014
Peter Toft a.k.a. pto
Peter Toft Jeg holder meget af at programmere i Python. Det er klart det bedste programmeringssprog, jeg har arbejdet med. Det er to ting jeg jævnligt har brug for - at finde ud af hvor i min kode, jeg bruger mest CPU-kraft hhv. mest hukommelse. Til C/C++ kode har jeg meget godt styr på det men til Python k...

Leave a comment

Poul-Henning Kamp a.k.a. phk
En fyr med en god tidsmaskine... (June 25, 2014, 08:54 UTC)
Poul-Henning Kamp ...afslører hvordan Keynote foredraget lyder til Perl konferencen 2034. Fremtiden er ikke hvad vi blev lovet. Det relevante spørgsmål er ikke "tidsmaskine ?" eller "Perl konferencen 2034 ?!" men "Er det den verden vi vil leve i?" Charles Stross styrke som "near-term" science fiction forfatter...

Leave a comment

June 13, 2014
Omvendt betalingspligt (June 13, 2014, 06:28 UTC)

Vores regering arbejder hård for at lette de administrative byrder, påstår de.

Men virkeligheden er en ganske anden.

Momslovens regler om omvendt betalingspligt kan kun opfattes som ren chikane.

Nedenstående er sakset fra http://www.bakertilly.dk/sidste-nyt/vejledning-til-omvendt-betalingspligt/

Døm selv…

June 11, 2014
Kenneth Geisshirt a.k.a. kneth
Emacsforum 2011 (June 11, 2014, 19:06 UTC)
Kenneth Geisshirt Emacsforum 2011
Peter Toft and I are in the process of preparing Emacsforum 2011 with some help by Troels Henriksen (at DIKU) and Keld Simonsen (from KLID). The program is almost ready for publication, so I will not say too much - but there will be something for scientists and developers. Even our Evil Twin will be represented.

The mini-conference takes place 12th November 2011 at DIKU. The is no conference fee - and there will be no benifits.

If you are using Emacs (and even XEmacs) and live in the Copenhagen area, Emacsforum is a good place to meet fellow users.
Poul-Henning Kamp a.k.a. phk
Dronningens Trojanske Cybergarde (June 11, 2014, 08:35 UTC)
Poul-Henning Kamp Alt tyder på at Folketinget vedtager den Forsvarets nye ceremonielle cybergarde idag. Lovforslag L.192 indeholder i bund og grund hjemmel til at stille en soldat på parade ved alle offentlige IT-systemers firewalls hvor han kan stå og se om nogen turister prøver at komme forbi. Den absolut mest...

Leave a comment

June 08, 2014
Flere i arbejde. (June 08, 2014, 18:13 UTC)

Vi har stadig mange uden arbejde. Det kan vi gøre noget ved.

1. Fjern momsen på ydelser. Det mistede provenu vil vil komme igen i form af besparelser på overførselsindkomst og øgede skatteindtægter. Flere i arbejde og bedre betalingsbalance.

2. Erstat ejendomsværdiskatten af fast ejendom med skat af fortjenesten ved ejendomshandel – fratrukket dokumenterede udgifter til forbedringer og vedligehold. Så bliver værditilvækst skabt af sort arbejde beskattet = mere hvidt og mindre sort.

3. Hæv reparationsgrænsen for totalskade af motorkøretøjer fra de nuværende 75% til 100% af værdien. Det vil give arbejde til rigtigt mange pladesmede og mindre import af nye køretøjer. Flere i arbejde, bedre betalingsbalance og mindre miljøbelastning.

4. Erstat licensbaseret software i den offentlige sektor med fri software og brug den årlige besparelse på mere end 3 mia. til at forbedre denne software. Flere i arbejde, højere vidensniveau, bedre betalingsbalance og højere national sikkerhed.

Find selv på flere – det er ikke så svært.

June 05, 2014
Poul-Henning Kamp a.k.a. phk
Behovet for fundering... (June 05, 2014, 08:14 UTC)
Poul-Henning Kamp Idag er Grundlovsdag og politikere kværner løs med floskler osv. Grundloven hedder sådan fordi de er fundamentet under vores civilization, i bund og grund er den det eneste der forhindrer mig i at myrde folk jeg ikke er enig med, resten af lovene er bare detaljelovgivning der skal give Grundlove...

Leave a comment

June 04, 2014
Pktgen for network overload testing (June 04, 2014, 17:38 UTC)
Want to get maximum performance out of the kernel level packet generator (pktgen)?
Then read this blogpost:

  • Simple tuning will increase performance from 4Mpps to 5.5Mpps (per CPU)

You might see pktgen as a fast packet generator, which it is, but I (as a kernel developer) also see it as network stack testing tool of the TX code path.

Pktgen have a parameter "clone_skb", which specifies how many time to send the same packet, before freeing and allocting a new packet for transmission.  This affects performance significantly, as it can remove a lot of memory allocation and access overhead.

I have two distinctly different use-cases for stack testing:

  1. clone_skb=1      tests the stack alloc/free overhead (related to the SKB)
  2. clone_skb=100000 tests the NIC driver layer
Lets focus on case 2, driver layer.

Tuning NIC driver layer for max performance:
The default NIC setting are not tuned for pktgen's artificial overload type of benchmarking, as this could hurt the normal use-case.

Specifically increasing the TX ring buffer in the NIC:
 # ethtool -G ethX tx 1024

A larger TX ring can improve pktgen's performance, while it can hurt in the general case, 1) because the TX ring buffer might get larger than the CPUs L1/L2 cache, 2) because it allow more queueing in the NIC HW layer (which is bad for bufferbloat).

One should be careful to conclude, that packets/descriptors in the HW TX ring cause delay.  Drivers usually delay cleaning up the ring-buffers (for various performance reasons), thus packets stalling the TX ring, might just be waiting for cleanup.

This "slow" cleanup issues is specifically the case, for the driver ixgbe (Intel 82599 chip).  This driver (ixgbe) combine TX+RX ring cleanups, and the cleanup interval is affected by the ethtool --coalesce setting of parameter "rx-usecs".

For ixgbe use e.g "30" resulting in approx 33K interrupts/sec (1/30*10^6):
 # ethtool -C ethX rx-usecs 30

Performance data:
Packet Per Sec (pps) performance tests using a single pktgen CPU thread, CPU E5-2630, 10Gbit/s driver ixgbe. (using net-next development kernel v3.15-rc1-2680-g6623b41)

Adjusting the "ethtool -C ethX rx-usecs" value affect how often we cleanup the ring.  Keeping the default TX ring size at 512, and adjusting "rx-usecs":
  • 3,935,002 pps - rx-usecs:  1 (irqs:  9346)
  • 5,132,350 pps - rx-usecs: 10 (irqs: 99157)
  • 5,375,111 pps - rx-usecs: 20 (irqs: 50154)
  • 5,454,050 pps - rx-usecs: 30 (irqs: 33872)
  • 5,496,320 pps - rx-usecs: 40 (irqs: 26197)
  • 5,502,510 pps - rx-usecs: 50 (irqs: 21527)
Performance when adjusting the TX ring buffer size. Keeping "rx-usecs==1" (default) while adjusting TX ring size (ethtool -G):
  • 3,935,002 pps - tx-size:  512
  • 5,354,401 pps - tx-size:  768
  • 5,356,847 pps - tx-size: 1024
  • 5,327,595 pps - tx-size: 1536
  • 5,356,779 pps - tx-size: 2048
  • 5,353,438 pps - tx-size: 4096
The performance of adjusting cleanup interval (rx-usecs), seems to win over simply increasing the TX ring buffer size. This also proves the theory of TX queue is filled with old packets/descriptors that needs cleaning.
(Edit: updated numbers to be clean upstream, previously included some patches)

Tools: Want easy to use script for pktgen look here
More details on pktgen advanced topics by Daniel Turull.
June 03, 2014
Sune Vuorela a.k.a. pusling
Bringing KDE forward (June 03, 2014, 20:31 UTC)
Sune Vuorela

The almost-yearly large KDE-sprint in Randa, Switzerland is doing a fundraiser to get this year’s event running. See http://www.kde.org/fundraisers/randameetings2014/

This year, it is besides the recurring multimedia topics, a lot about improving the new KDE Frameworks, the related documentation and the development experience with IDE’s and such.

It is also a good way to come full circle, since it was back in 2011 when I was at the Randa Meetings that the KDE Frameworks initiative was started.

So once again: http://www.kde.org/fundraisers/randameetings2014/

Leave a comment

Poul-Henning Kamp a.k.a. phk
SCOTUS om patenter, fortsat... (June 03, 2014, 07:22 UTC)
Poul-Henning Kamp I hele denne sæson har USAs Højesteret haft en række patentsager på programmet og der faldt dom i to af dem igår. Limelight Networks, Inc. v. Akamai Technologies, Inc. Nautilus, Inc. v. Biosig Instruments, Inc og i begge sager, som i de forrige, får den særlige Patent-appel-ret ("Federal Circu...

Leave a comment

June 02, 2014
Vores hjem kan købes. (June 02, 2014, 04:46 UTC)

Nu hvor 2 af vores børn er flyttet hjemmefra og den sidste rejser på udveksling har vi besluttet at give plads til en ny familie.

Vi taler om en dejlig sund villa på Smedievej 66 i Hillerød på 197 m2. Blandt de mange ting som gør af vi nydt at bo her, kan nævnes:

Børnevenligt område med stisystemer, tæt på skole, daginstitution og offentlig transport.

Dejlig lys og rummelig stue hvor vi bl.a. har holdt konfirmationer med ikke mindre end 45 til bords.

3 gode værelser i stueplan og 3 på 1. sal, det ene med altan. Mulighed for 7 gode værelser ved opdeling af det største.

Lækkert marmorbadeværelse med brus i stueplan og baderum med kar på 1. sal.

Velfungerende og godt indrettet Modulia kvalitetskøkken med god aflægger plads og nyere hvidevarer.

2 toiletter i stueplan.

Isoleret loft med god plads til de ting I ikke bruger til daglig.

Dejlig overdækket terrasse med mørke fliser som suger varmen om dagen og holder lunt om aftenen, så I kan nyde udelivet  fra april til oktober.

Dejlig stor indkørsel med herregårdssten.

Kæmpe carport med plads til både campingvogn og 2 biler.

Isoleret og opvarmet hobbyværksted på 9 m2.

Dejlig blomstrende ugeneret have med mange gode kroge, frugttræer og fuglesang.

Huset er opvarmet med billig fjernvarme. Der er også en brændeovn til en lun hyggeaften.

Alt er velholdt og og i god stand. Lige klar til indflytning!

I kan se nogle billeder ved at klikke her

Det kan blive jeres for kr. 2.875.000,-

Se mere på http://www.selvsalg.dk/bolig/11958/smedievej_66-3400-hilleroed

Nysgerrig? Så ring på 20669860.



May 30, 2014
Peter Toft a.k.a. pto
Peter Toft Jeg så en interessant lille historie i går. En dansker (Jon Clausen) modtager en phishing-mail svarende til denne. Det skal man naturligvis ALDRIG gøre. Det er fup og svindel! Da Jon fik mailen tænkte han sig lidt mere om. Han ville sende dem videre til NemID sammen med de tilhørende log ent...

Leave a comment

May 27, 2014
Peter Makholm a.k.a. brother
Version2.dk: Nye kontakter på Borgen (May 27, 2014, 15:39 UTC)
Peter Makholm
Det er altid en glæde at snakke med engagerede politikere. I formiddags var det netop min oplevelse da jeg sammen med Jeppe Morgenthaler var inviteret på Borgen for at snakke logningsbekendtgørelse og overvågning med Socialdemokraternes Mette Reissmann. Til forskel fra mine forsøg på at trænge i...
May 26, 2014
Peter Makholm a.k.a. brother
Peter Makholm
Jeg må tilstå at jeg har været med til at grine af Martin Thorborgs jobopslag og jeg har også delt en latter over andre tilsvarende opslag. Når han ligefrem bliver arrig over reaktionen, så griner jeg igen mens jeg overvejer at sende en rulle tudekiks. Men problemet med at tiltrække de dygtigste ...
May 25, 2014
Peter Toft a.k.a. pto
Peter Toft I fredags lød sirenen i Greve ca. kl 16.30 mens jeg kørte hjem. Rygmarvs-reaktion - tænd for radioen. Et par minutter senere var der en beredskabsmeddelelse om en brand i Ringsted, og ikke andet. Da Greve og Ringsted er ca 40 km fra hinanden var det en kende mystisk. Fem minutter senere kom jeg...

Leave a comment

May 21, 2014
Poul-Henning Kamp a.k.a. phk
Enhedslistens manglende princip (May 21, 2014, 10:21 UTC)
Poul-Henning Kamp Enhedslistens udspil om sikkerhed i den digtale infrastruktur er tilsyneladende det første noget dansk parti nogensinde har lavet. Det er i sig selv tankevækkende, men det betyder også at vi må give dem noget elastik: Den første serve er altid den sværeste. Jeg er ikke 100% solgt på ideen om e...

Leave a comment

May 20, 2014
Patentdomstol (May 20, 2014, 13:47 UTC)

Jeg vil bede dig tage dit ansvar meget alvorligt, når du skal stemme ja eller nej til om Danmark skal afgive retten til at dømme i patentsager til et privat organisation.

Et ja kan meget vel betyde at retssikkerheden rives væk under en række danske virksomheder.

Et eksempel.

En virksomhed (A) som lever af at spekulerer i patenter, gennemgår et softwareprogram som er skrevet af en dansk virksomhed (B) og finder noget som er unikt og søger patent på dette i et andet EU land. Patentet godkendes og er nu gældende i alle de lande som er underlagt patentdomstolen. A anklager nu B for patentkrænkelse og tilbyder B at indgå et forlig, ved at B betaler kr. 120.000,- og derved opnår retten til at anvende sin egen software. Hvis B ikke betaler vil A nedlægge fogedforbud mod at B anvender den patenterede software. De danske myndigheder vil sørge for at fogedforbuddet bliver effektueret, uagtet at B kan bevise at koden har været i brug inden patentet blev udtaget. Beviset skal først forelægges en dommer i det land hvor patentet er godkendt hvilket betyder at B skal bekoste at føre en retssag i et andet EU land, og hvad dertil hører af udgifter til tolke, advokater, rejser, ophold, tabt arbejdsfortjeneste osv. Formentlig en langt større omkostning end det tilbudte forlig.

Skal vi løbe den risiko ?

Det vil ikke ske siger Dansk Industri (DI). Men DI vil ikke garantere at det ikke sker og de vil heller ikke dække omkostningen hvis det sker alligevel.

Den fælles patentdomstol betyder at virksomheder som bruger patentsystemet kun skal søge et sted, for at få patent i alle de lande som har afgivet suverænitet til denne domstol. Siger vi ja kommer disse patenter også til at gælde i DK. Det gør reelt ikke nogen forskel for virksomheder som opererer på det internationale marked, da de under alle omstændigheder skal søge patent ved den europæiske patentorganisation  (EPO) og omkostningen til dette er den samme uanset om vi siger ja eller nej. Et nej vil dog betyde at de kan vælge også at søge patentet i DK, hvilket koster ca. kr. 5.000,- og for de flestes vedkommende er unødvendigt.

May 16, 2014
Patentdomstol (May 16, 2014, 06:03 UTC)

Ved du at den europæiske patentorganisation, EPO som er en privat organisation, er hævet over loven? F.eks. udsteder EPO patenter på planter, hvilket er klart i strid med lovgivningen, men der er ingen myndighed som kan tvinge EPO til at overholde loven. Den europæiske patentdomstol som er underlagt EPO står snart klar til at dømme planteavlere, hvis de ved almindeligt forædlingsarbejde fremavler planter som andre har patenteret. Er man først dømt af denne domstol, er der ingen ankemulighed.

Skal danskerne underlægge sig denne domstol?

May 12, 2014
Poul-Henning Kamp a.k.a. phk
Nettet før internettet (May 12, 2014, 08:53 UTC)
Poul-Henning Kamp Inden vi fik internettet i Danmark, havde vi et andet offentligt datanetværk, to faktisk. X.21 var en "binær telefon", stort set præcist som man ville ringe op med en telefon, ringede man op med X.21 og samtalen var en synkron binær bitstrøm, over hvilken man kunne køre lige hvad man havde lyst ...

Leave a comment

May 11, 2014
Peter Toft a.k.a. pto
Tror du på julemanden .. og din backup? (May 11, 2014, 20:00 UTC)
Peter Toft Alle nyhedstjenester vælter for tiden rundt i Se-og-Hør-skandalen, som jeg slet ikke forventer er enestående. Vi har det så ofte ting i hverdagen, hvor vi stoler på at ting "bare" er i orden, som måske slet ikke er det. Jeg gætter på at samme problemstilling angår vores backup-situation. Jeg ha...

Leave a comment

May 08, 2014
Poul-Henning Kamp a.k.a. phk
IBM Mainframes er en sikkerhedsrisiko (May 08, 2014, 07:35 UTC)
Poul-Henning Kamp Det her bliver meget kort: Jeg har et fuldt program idag. En helt central faktor i Nets manglende privatlivsbeskyttelse er at de kører tingene på store IBM mainframes. Der kan siges meget pænt om mainframes, og der er bestemt blevet det fordi de har 50 års jubilæum i år, men objektivt kan man ...

Leave a comment

May 05, 2014
Poul-Henning Kamp a.k.a. phk
Nets er utroværdige (May 05, 2014, 15:36 UTC)
Poul-Henning Kamp Det er meget tydeligt at Nets har en forkert holdning til sikkerhed. Da en fotograf henvendte sig med evidens der stank langt væk, kunne de ikke finde noget problem, men når sagen nu er gennemlyst i alle medier kan de pludselig godt finde noget. Det lyder som en organisation der fokuserer på "p...

Leave a comment

May 03, 2014
Jesper Nyerup a.k.a. nyerup
Web site overhaul (May 03, 2014, 20:56 UTC)
Jesper Nyerup

This is my new web site. It’s not all that different from my old web site, but it’s new none the less. The content is the same, the looks of it is largely the same, the server running it is the same, but I’d like to take a few moments to mention some of the changes I’ve made.

New site engine

The old one was Jekyll. The new one is Pelican. Not much to say about that. I’ve never been much of a Ruby dude, and I’ve written my fair share of Python lately, both for fun and work. Apparently a lot has happened to Jekyll since I last checked, but I’ve already done some good hacking in Pelican, and for my pretty simple use case, it does the trick well.

SSL, privacy and insourcing

Everyone remembers Heartbleed. Some also remember the other pretty serious zero-day crypto weaknesses we’ve seen during the last few years, and whether we like it or not, there really is no going back on everyone’s increasing need for the option of having secure, private data transfers online.

This web site was vulnerable to the Heartbleed bug — as were the other SSL-enabled services running along with it on this server. Most services all over the internet were, if they were running OpenSSL and were reasonably maintained and updated. I updated my OpenSSL a few hours after the bug got widely known, and since then I think I’ve taken my precautions to avoid being vulnerable to the aftermath of this particular bug.

However — it’s difficult not to look at the broader picture. This is certainly not the last worldwide crypto exploit we’ll see, and it’s inherently impossible to tell the nature of the next one.

One thing I’ve done is to stop depending on external assets when serving this web site. My old site fetched a number of bits of javascript, CSS, etc. from different services across the web. Anything from JQuery through Google Analytics to different generic widgets and bling-blings.

Now I’ve taken everything with a license permitting it and fetched it to serve locally. Everything else I’ve replaced or done without. It turned out to be less difficult than I anticipated. That way crypto is solely a matter between me and my readers.

Responsive design

I’m not a web site craftsman. I’m not fluent in neither CSS nor Javascript, and it actually bothers me from time to time, as I’m very conscious about typography, graphical composition and user interfaces.

For my old site I tried to type up different incarnations of style sheets for different client resolutions in effort to get an acceptable layout on phone and tablet browsers, but nothing really worked well. When I reached an okay result on one phone, everything else went to crap.

This time I started out with Twitter Bootstrap, and built all my templates with their building blocks. I realise what people say about Bootstrap only taking you so far, and whenever you need to do something outside the system’s paradigm, stuff gets messy. Luckily I’m a simple guy, and I’ve easily managed with the provided elements.

All in all

.. this is just for me. I know you don’t notice the change, and quite frankly, you weren’t meant to. This is just a matter of scratching a few itches, and learning just enough to not forget how to keep your fingers in the matter.

But it felt good.

May 02, 2014
Georg Sluyterman a.k.a. sman

I just got a 27″ iMac (version 14,2) and had a hard time finding status reports online on how well it works with Ubuntu along side with OS X. Also it seems the guides online are not that updated and there are various ways to install Ubuntu – but which way works and gives the best result?. Below is my experience and how I got it to work.


Besides a small issue with headphones audio, and installing an extra program for handling bluetooth HID-devices, Ubuntu 14.04 works very well with iMac14,2. Everything works out of the box (including the webcam, WiFi and HDMI via mini DisplayPort). In other words the result is close to perfect!


Some notes about rEFInd and boot camp

Some sites say that rEFInd is needed in order to boot Ubuntu on a Mac. As far as I can see those times are over.

Using Apples Boot Camp creates some legacy BIOS emulation for Windows and should have some pitfalls when using Ubuntu.

Bottom line I used neither rEFInd nor Boot Camp, and it works allright without.

Installing Ubuntu on iMac along side with OS X

Based on this guide.

The following was how I in may 2014 installed Ubuntu 14.04 LTS on an iMac 27″ (iMac14,2). During the installation you would need a keyboard and a mouse connected via USB.

You can see what version of iMac you are using with the following command (iMac14,2 for me):

OS X: sysctl hw.model

Ubuntu: sudo dmidecode -s system-product-name

  • Preparing a USB boot medium

In OS X: Download Ubuntu 14.04 LTS from a mirror close to you:

wget http://mirrors.dotsrc.org/ubuntu-cd/14.04/ubuntu-14.04-desktop-amd64.iso

Convert the iso. Otherwise the Mac apparently can not boot from the USB drive

hdiutil convert ubuntu-14.04-desktop-amd64.iso -format UDRW -o ubuntu-14.04-desktop-amd64.img

Insert your USB flash drive and determine what the device name is

diskutil list

Unmount the USB flash drive and write the .img file to the flash drive (replace N with the disk number from the command above. For me it was 1).

diskutil unmountDisk /dev/diskN
sudo dd if=ubuntu-14.04-desktop-amd64.img.dmg of=/dev/diskN bs=1m

  • Boot live Ubuntu and do basic testing

Before you install Ubuntu on your Mac, I recommend that you boot into a live Ubuntu and look around how well it works on the hardware you have (Select “Try Ubuntu without installing”).

Boot options when holding down the option key. Shutdown OS X and turn on your computer again. During startup hold down the option key (normally marked alt and located between the ctrl and cmd keys left to the space key.

Ubuntu should now boot and you can do your testing. Reboot when done and boot back into OS X.

  • Repartition your disk

In OS X start Disk Utility. Choose your disk and create and adequate portion of free space by clicking the +, thus shrinking the existing partition. Apparently doing this with gparted from Ubuntu may result in OS X not being able to boot.


  • Boot live Ubuntu and install Ubuntu

It is important that you do not reboot your computer after having installed Ubuntu, since we need to modify EFI so that we can actually boot Ubuntu.

Shutdown OS X and boot, again holding down the option key and booting Ubuntu (Select Try Ubuntu without installing).

When Ubuntu has booted install Ubuntu. When asked about Installation type simply check Install Ubuntu alongside Mac OS X.

  • Post installation on live system

Once you have installed Ubuntu do not reboot just yet. Run the following in a shell:

sudo apt-get install efibootmgr
sudo efibootmgr

My output was:

BootCurrent: 0000
Timeout: 5 seconds
BootOrder: 0080
Boot0000* ubuntu
Boot0080* Mac OS X

In order to get the computer to boot from Ubuntu the BootOrder parameter has to include Ubuntu (with the address 0×0080). This is done by executing the following:

sudo efibootmgr -o 0,80

Now you may reboot your computer and startup Ubuntu.

  • Getting the Apple Magic Mouse and Wireless Keyboard to work

Remember to turn on the mouse and keybard. For the mouse it helps to click it in order to activate it.

In the top right corner select the bluetooth icon and choose “Set Up New Device”.

bluetooth_setup_new_deviceFor the keyboard I just selected it, clicked continue and entered the PIN it showed on the keyboard followed by the enter key and it worked. For the the Magic Mouse choosing the PIN 0000 seemed not to work, though as far as I could read on various sites it shoud, so I installed blueman.

sudo apt-get install blueman
sudo blueman-assistant

The latter opens a wizard where it is possible to choose the mouse and use it as an “input service”.


  • Getting headphones to work (built in speakers works out of the box)

The build in speakers work fine but I could not get the headphones plug to work out of the box. I found many (not all too recent) guides suggesting everything from messing around with alsa-mixer to inserting stuff like options snd-hda-intel model=imac27_122 into /etc/modprobe.d/alsa-base.conf followed by alsa force-reload. None of it worked for me.

The thing that worked for me was using a small program called hda-analyzer from the ALSA project:

wget www.alsa-project.org/hda-analyzer.py -O run.py
sudo python run.py

The script downloads some more python files from the ALSA project and you get the following window:


Choose Codec-0 and de-select the row [1] and select the row [2] as showed below (check the data column as the last column, or you will be unable to select it, it seems):


hda-analyzer changes what output that is used (if you want to go back to the build in speakers you need to click around in hda-analyzer again – it does not happen automatically :-/ ).

The setting for the audio play through the headphones plug is not persistan accross reboots. Since I only use headphones I want this to happen automatically when I log in. This is possible by choosing the Exp button at the bottom to the left. hda-analyzer then generates a little python script that can be used to set the current settings.


Save the file and move it to e.g. /usr/local/bin/fix-imac-external-audio.py

In .bashrc add

/usr/bin/sudo /usr/local/bin/fix-imac-external-audio.py

with sudo visudo add (substitute username with your actual username):

username ALL = NOPASSWD: /usr/local/bin/fix-imac-external-audio.py

Now this is not an ideal solution – but it solved the problem for me (and should I have removed the headphones jacks and put them back in I just start a new shell). There is probably a much better location for the script, in order to only run the script once when Unity is started.

  • For non-US keyboard, getting <> key to work

From this guide.
I got a danish keyboard with a button containing the characters< and > between shift and the letter Z. However that is not what I get when pressing it (I get ½). Executing the following fixes that:

echo 0 | sudo tee /sys/module/hid_apple/parameters/iso_layout

This is not persistant accross reboots, so we need to run the following:

echo options hid_apple iso_layout=0 | sudo tee -a /etc/modprobe.d/hid_apple.conf
sudo update-initramfs -u -k all

  • Graphics driver

The default driver is not well suited for e.g. watching videos. In the Additional Drivers program choose the NVIDIA binary driver.

  • Booting into OS X

Hold down the option key at boot and choose Macintosh HD

  • Feedback

Feel free to give me feedback, e.g. by email. Especially I would like to hear about a better solution for the headphones fix.

I would love to see a good guide on Ubuntu’s community pages. Since I am new with Ubuntu on Mac I will let somebody more experienced on that topic write such a page :)

Leave a comment

Poul-Henning Kamp a.k.a. phk
Poul-Henning Kamp Nets har været ude med en melding om at "de ikke kan sikre sig imod den menneskelige faktor" Det er for det første forkert, det kan man godt, for det andet viser det hvor kernen i den her ballade virkelig ligger: Ansvaret for sikkerhedsproblemer skal altid placeres 100% præcist hos dem der best...

Leave a comment

May 01, 2014
Poul-Henning Kamp a.k.a. phk
Poul-Henning Kamp Så hvad kunne og burde Nets, IBM og Datatilsynet have gjort ? Hvordan implementerer man i det hele taget fornuftig IT-sikkerhed ? Som det allerførste skal man forstå at IT-sikkerhed, som alle andre former for sikkerhed, i bund og grund er en sociale ceremonier og ikke noget man køber nogle kass...

Leave a comment

April 30, 2014
trafgen a fast packet generator (April 30, 2014, 17:53 UTC)
The netsniff-ng toolkit version 0.5.8 have been released.

One of the tools included in the netsniff-ng toolkit is: "trafgen" a multi-threaded low-level zero-copy network packet generator.  The recent release contains some significant performance improvements to that traffic generator.

Single CPU generator performance on a E5-2630 CPU, with Intel ixgbe/82599 chip, reach 1.4 Million Packet Per Sec (Mpps) when using the recent kernel (>= v3.14) feature of qdisc bypass for RAW sockets. And around 1.2 Mpps without bypassing the qdisc system in the kernel. (Default is to use the qdisc bypass if available, for testing purposes the qdisc path can be enabled via command line option "--qdisc-path")

In this release, I've also made "trafgen" scale to more CPUs:

The hard part of using trafgen is specifying and creating the packet description input file.  I really enjoy the flexibility when defining the packet contents, but without good examples as a starting point, it can be a daunting task.

For that reason, I've made some examples available at github here:

I've used the SYN attack example while developing the SYNPROXY module, see my other blogpost. I'm releasing this example now, because solutions for mitigating this attack is now available.

Jon Schipp also have a solution and have created a script "gencfg" for generating trafgen packet description input files, avail on github: https://github.com/jonschipp/gencfg

Notice: to get these performance numbers you need to tune your packet generator machine for network overload testing.
Hey, I'm also blogging on the Red Hat Enterprise Linux Blog

I recently did very practical post on Mitigating TCP SYN Flood Attacks with iptables/netfilter, with the hope to provide the world with a practical solution to solve these annoying SYN-flood DDoS attacks, that we have been seeing for the last 20 years.

I've also been touring with a technical talk on the subject, and the most recent version of the slides are here.

There is also a YouTube video of my presentation at DevConf 2013.
Poul-Henning Kamp a.k.a. phk
Man får hvad man betaler for (April 30, 2014, 12:25 UTC)
Poul-Henning Kamp Jeg lovede igår at skrive et blogindlæg om Nets og IBM's sikkerhedsproblem. Lad mig starte med at slå fast at uanset hvor afskyeligt jeg på alle måder finder blade som Se og Hør, med deres middelalderlige kvindesyn, skadefro bedreviden og kyniske destruktion af mennesker i jagten på profit, så h...

Leave a comment

April 29, 2014
Poul-Henning Kamp a.k.a. phk
Idag fest, imorgen IT-sikkerhed... (April 29, 2014, 11:36 UTC)
Poul-Henning Kamp Der er ret mange journalister der vil have mig til at udtale mig om Nets og IBM's sikkerhedsproblem. Og nej, det er ikke Se og Hør der er problemet, det er Nets og IBM der er problemet. Men det bliver ikke idag, for idag fejrer vi at Varnish 4.0 er kommet ud af døren. phk

Leave a comment

Basic tuning for network overload testing (April 29, 2014, 10:12 UTC)
I'm doing a lot of network testing, where I'm constantly trying to push the limits of the hardware and network stack (in-order to improve performance and fix scalability issues in the Linux Kernel).

Some basic tuning of the NICs (Network Interface Cards) and IRQs are required, before we can start this "overload" testing mode.

1. First thing I do, is to kill "irqbalance", to avoid it mangling with my manual IRQ assignments.

 # killall irqbalance

2. Next I, align/bind the NICs IRQs to CPUs (one-to-one).

I have a script for aligning the IRQs, that I copied from the Intel ixgbe driver tarball:
 # set_irq_affinity $DEV

The easiest way to view, how the current IRQ assignment is to use this "grep ." trick:
  # grep . /proc/irq/*/eth4{,-*}/../smp_affinity_list

3. Then I, disable Ethernet Flow-Control

 # ethtool -A $DEV rx off tx off autoneg off

I'm disabling Ethernet Flow Control (PAUSE frames) because i want to create an overload situation. When my transmitter/generator machine is overloading the target machine, I don't want the target machine to send "backoff" PAUSE frames, especially if I'm testing the limits of the transmitters network stack.

4. Unload all netfilter and iptables module

I have a simple script for flushing iptables and unloading all the modules:
 # netfilter_unload_modules.sh

I usually also perform benchmarking and tuning of iptables/Netfilter modules, but for overload testing I'm unloading all module, as these do introduce measurable overhead.

Extra: A word of caution regarding CPU sleep or idle states:
I've experienced issues when doing low-latency measurements with Sandy-E Bridge CPUs C-states, because it too aggressively tried to go into a sleep state, even under a high network load. The latency cost of coming out of a sleep state can be significant. Jeremy Eder have described these issues in detail in his blog:

Simply use the tool "turbostat" to measure the different C-states.

And use the tool "tuned-adm" to adjust what profile you want to enable e.g.:
 # tuned-adm profile throughput-performance
 # tuned-adm profile latency-performance

April 28, 2014
Gør det selv – på den nemme måde (April 28, 2014, 05:00 UTC)


Glasfilt på en letbetonvæg kan godt være skrøbeligt overfor slag, så det er ikke det bedste at hænge cykelhjelmene direkte op på. Det vil give for mange ridser og skammer.

Pludseligt var ideen der. Køb en indfarvet MDF plade og sæt den op som baggrund for nogle dekorative kroge og vupti, så er der kommet kontrast til rummet og dermed en tydelig angivelse af funktionaliteten. Alle vores cykelhjelme har nu faste pladser hen over vasketøjskurvene. Udførelsen kunne næppe være nemmere, da pladen blot er sat op i det mål den er købt i.

Leave a comment

April 27, 2014
Peter Makholm a.k.a. brother
Version2.dk: Bedre SSL-sikkerhed med DNS (April 27, 2014, 21:04 UTC)
Peter Makholm
Blev du ramt af Heartbleed? Har du så fået skiftet nøgler og certifikater? Hvad med at få revoket de gamle certifikater? Har du testet at klienter rent faktisk afviser de gamle certifikater? Gik det hele smertefrit? Denne gang gik det smertefrit fordi alle de involverede har været meget fokuser...
Poul-Henning Kamp a.k.a. phk
USA: All your Cloud Are Belong to Us (April 27, 2014, 10:48 UTC)
Poul-Henning Kamp Microsoft har fået (endnu) et problem. Politiet i USA har bedt om at få udleveret kundedata som Microsoft har liggende på en server i Irland. Og en dommer har dømt at data skal udleveres selvom de ligger i et andet land. Med andre ord: Bare fordi Microsoft har "off-shoret" en computer betyder...

Leave a comment

April 22, 2014
Poul-Henning Kamp a.k.a. phk
Produktansvar eller Open Source (April 22, 2014, 15:54 UTC)
Poul-Henning Kamp Dan Geer har skrevet noget klogt som I bør læse. Han tager afsæt i Heartbleed men når frem til samme konklusion som jeg har nået: Producenter af udstyr med indlejrede computere må enten påtage sig et produktansvar, eller levere open source. Som situationen er idag, er der rullet millioner af d...

Leave a comment

April 20, 2014
Peter Toft a.k.a. pto
Peter Toft Et tip til ferieunderholdningen her i påsken. Min familie og jeg har lige været en uge på Langeland. Rigtig hyggeligt, men der er ikke så mange udflugtssteder, der kan hamle på med podernes Minecraft-spil og World of Worcraft. Men vi fik alligevel en del hyggelige og kulturopleverelser på Langela...

Leave a comment

April 16, 2014
Full scalability for Netfilter conntracks (April 16, 2014, 11:41 UTC)
My scalability fixes for Netfilter connection tracking have reached Linus'es tree and will appear in kernel release v3.15.

Netfilter’s conntrack have had a bad reputation for being slow. While this was true in the "early-days", it have been offering excellent scalability for established conntracks for a long time now.  Matching against existing conntrack entries is very fast and completely scalable. (The conntrack system actually does lockless RCU (Read-Copy Update) lookups for existing connections).

The conntrack system have had a scalability problem when it comes to creating (or deleting) connections, for a long time now (single central spinlock).  This scalability issue is now fixed.

This work relates to my recent efforts of using conntrack for DDoS protection, as e.g. SYN-floods would hit this "new" connection scalability problem with Netfilter conntracks.

Finally version 3 of the patchset were accepted March 7th 2014 (note Eric Dumazet worked on the first attempts back in May 9th 2013). The most important commit is 93bb0ceb75 "netfilter: conntrack: remove central spinlock nf_conntrack_lock")

Announcing: The IPTV-Analyzer (April 16, 2014, 10:11 UTC)
I'm happy to announce the first official release of the IPTV-Analyzer project, as an Open Source project.

The IPTV-Analyzer is a continuous/real-time tool for analyzing the contents of MPEG2 Transport Stream (TS) packets, which is commonly used for IPTV multicast signals. The main purpose is continuous quality measurement, with a focus on detecting MPEG2 TS/CC packet drops.

The core component is an iptables (Linux) kernel module, named "mpeg2ts". This kernel module performs the real-time Deep Packet Inspection of the MPEG2-TS packets. Its highly performance optimized, written for parallel processing across CPU cores (via RCU locking) and hash tables are used for handling large number of streams. Statistics are exported via the proc filesystem (scalability is achieved via use of the seq_file proc API). It scales to hundreds of IPTV channels, even on small ATOM based CPUs.

Please send bugreports, patches, improvement, comments or insults to: netoptimizer@brouer.com

April 14, 2014
Poul-Henning Kamp a.k.a. phk
Open Source og Penge (April 14, 2014, 08:33 UTC)
Poul-Henning Kamp Hvis det lyder for godt til at være sandt, er det ikke sandt og selvfølgelig er Fri software ikke gratis: Nogen skal betale for pizzaen og de hvide tennissokker i sidste ende. Diverse open source software projekter har "foundations" der prøver at skrabe penge sammen til udvikling og vedligehold...

Leave a comment