Jim's Depository

this code is not written

I’m not sure where this cropped up, I leaped many kernel versions, but when one of my LXC based virtual machines suddenly was unable to start machines after a kernel upgrade, the error presented like this:

root@cloud8:\~\# lxc-start -n rattus
lxc-start: Invalid argument - failed to create
'/sys/fs/cgroup//lxc/rattus' directory
lxc-start: failed to spawn 'rattus' lxc-start: No such file or directory
- failed to remove cgroup '/sys/fs/cgroup//lxc/rattus'

Further probing revealed that I could mkdir a subdirectory (like lxc in the above example) in my cgroup filesystem, but not a second level subdirectory (like rattus) within the first one.

After a bit of adding printk() calls to the kernel and rebooting, it turned out that the Network Priority cgroup (CONFIG_NETPRIO_CGROUP) was the problem. Turning that off fixed my woes.

Further poking about suggests this check in netprio_cgroup.c is probably to blame, but I don’t understand what prioidx is, so I leave it here.

if (cgrp->parent && cgrp_netprio_state(cgrp->parent)->prioidx) {
    return ERR_PTR(-EINVAL); 
Hey I am so excited I found your wegbape, I really found you by error, while I was searching on Askjeeve for something else, Anyhow I am here now and would just like to say thank you for a marvelous post and a all round thrilling blog (I also love the theme/design), I done28099t have time to go through it all at the moment but I have bookmarked it and also added in your RSS feeds, so when I have time I will be back to read a great deal more, Please do keep up the awesome work.

I fervently hope that Google brings you this search result in a timely manner.

CATransform3D is a row major matrix. When they say “m23”, they mean row 2, column 3.

GLKMatrix4 is a column major matrix. When they say “m23”, they mean row 3, column 2.

This means they are NOT laid out the same in memory, their initializers are acceptable to one another but incompatible, and if you called GLKMatrix4Make(…) with row major thoughts in your head, you will be very sad after you later call GLKMatrix4Multiply.

The people who write documentation, and perhaps mathematicians, don’t like to sully their hands with details like row major and column major, after all rows and columns are simply logical fictions. (You can’t actually tell what CATransform3D thinks is a row or column until you do a multiply, but GLKit has some functions with Row and Column in the name.)

Programmers, who might like their OpenGL view to display something do care.

You can get it wrong and not notice, except for a nagging feeling that all your matrix multiplications ( CATransform3dConcat or GLKMatrix4Multiply) are backwards. The other operations are happy to work transposed.

The OpenGL Profiler in Xcode 4.3 is known to be ruined for 10.7.3. Apple suggests you get the one from Xcode 4.2.1.

Here are the steps they may not have mentioned:

  1. Download the 1.8GB of xcode_4.2.1_for_lion.dmg from the developer downloads.
  2. Try to install, but fail because you have a shiny new 4.3 installed.
  3. Repetitive use of “file”, “man”, and three unarchiving programs will let you dig your way down through the layers of archiving, it ends up being something like…
  4. mkdir ~/Desktop/xcode
    cd ~/Desktop/xcode
    xar -x -v -f "/Volumes/Install Xcode/InstallXcodeLion.pkg" # archive layer 1
    cd InstallXcodeLion.pkg/
    cpio -i -t < Payload # archive layer 2
    cd "Applications/Install Xcode.app/Contents/Resources/Packages"
    xar -x -f OpenGLApps.pkg # archive layer 3
    gunzip < Payload > Payload.big # silent compression
    cpio -i < Payload.big # archive layer 4
    cd "Applications/Graphics Tools"
    ls "OpenGL Profiler" # Hurray!
  5. Just before the last step, you should remember that you have Time Machine and just go back a couple weeks and snag the one from /Developer. That’s what I did, but I thought I’d finish the instructions in case you didn’t have one.

It still crashes my program in some profiler function when I attach, so nothing gained, and doesn’t ever start profiling if I launch, but maybe it will help you.

Let’s say you have a Debian Squeeze based gateway machine and your ISP wasn’t reading ahead far enough in the RFCs to get to the IPv6 chapter.

Don’t let that hold you back, you can go to IPV6 without your ISP.

What we are going to do is use a little thing called 6to4 to make your only little bubble of the IPv6 internet and stitch it to the rest of IPv6 land with your existing IPv4 connection.

  1. Find out the 6to4 tunneled IPV6 address for your IPv4 address: I use 6to4 address calculator
  2. You are going to get a /48 subnet, that is, you will have the equivalent of 65536 entire IPv4 internets to allocate inside your machine. I generally use the one with all zeroes and a single one at the end as the address of my 6to4 gateway, so my IPv6 address ends up looking like: 2002:dead:beef::1. Notice that ‘::‘? That is IPv6 for “all the 16 bit blocks between here are zero”.
  3. Edit your /etc/network/interfaces file to add this interface:
    ~~~~~~~~ iface tun6to4 inet6 v4tunnel address 2002:YOUR-IPV6-ADDRESS-GOES-HERE!!!!!! netmask 16 remote # anycast gateway endpoint any local YOUR-IPv4-ADDRESS-GOES-HERE!!!!! tty 255 up ip -6 route add 2000::/3 via :: dev tun6to4 down ip -6 route flush dev tun6to4 ~~~~~~~~
  4. Turn on your interface: ifup tun6to4
  5. Ping google’s machine: ping6 ipv6.google.com
  6. Go back and add the auto tun6to4 to your /etc/network/interfaces

Well that was easy. If you are a single machine you could be done.

But let’s say you are a gateway and you want to provide access to all of the machines behind you…

  1. Pick a subnet number. I’m going to use 1101 in this example, because it is the one I’m using. Any 4 digit hex number will suffice.
  2. Edit your /etc/network/interfaces again to add the subnet to your internal ethernet device:
    ~~~~~~~~ iface eth1 inet6 static address YOUR-FIRST-THREE-PARTS:1101::1 # 1101 is 17.1, it cohabits my 172.17.1.* net mask 64 ~~~~~~~~
  3. Bounce your internal interface to bring it up. (You could also skip the ifdown and use the force flag on ifup if you didn’t want to risk chopping your legs off if something goes wrong.)   ~~~~~~~~ ifdown eth0 ; ifup eth0 ~~~~~~~~
  4. Note: I have a problem here. It doesn’t add the route for that network, so I have to ip route add YOUR-FIRST-THREE-PARTS:1101::/64 dev eth0 I have no idea why. If you see  Dead loop on virtual device tun6to4, fix it urgently! in your syslog, you forgot this step.

That was also easy. Now you need to advertise the IPv6 network so clients can use it.

  1. aptitude install radvd  (route advertiser. It won’t start without a config)
  2. Turn on IPv6 forwarding, edit /etc/sysctl.conf and uncomment the line that says
    net.ipv6.conf.all.forwarding=1 Then echo 1 > /proc/sys/net/ipv6/conf/all/forwarding to make it happen without a reboot.
  3. Create your /etc/radvd.conf file, something like this should work…
    ~~~~~~~~ interface eth1 <<<<<< make that your network device { AdvSendAdvert on;

    prefix YOUR-FIRST-THREE-PARTS:1101::/64 { AdvOnLink on; AdvAutonomous on; AdvRouterAddr on; }; }; ~~~~~~~~

  4. Restart radvd: /etc/init.d/radvd restart

Now THINK! You just blew open your firewall and are allowing access to all of your internal machines over IPv6! Time to look at ip6tables. Yes, you have to do all those rules again. You might do something basic like this to prevent anyone from coming in, except to your defined ports, and allow yourself to go out as you wish…

# IPv6 rules 
/sbin/ip6tables -F # flush all 
/sbin/ip6tables -X # delete all 
/sbin/ip6tables -t mangle -F 
/sbin/ip6tables -t mangle -X

# open loopback wide 
/sbin/ip6tables -A INPUT -i lo -j ACCEPT
/sbin/ip6tables -A OUTPUT -o lo -j ACCEPT

# drop everything inbound by default 
/sbin/ip6tables -P INPUT DROP
/sbin/ip6tables -P FORWARD DROP 
/sbin/ip6tables -P OUTPUT ACCEPT

# forwarding basis: outgoing is fine, incoming is not 
/sbin/ip6tables -A FORWARD -i tun6to4 -m state --state ESTABLISHED,RELATED -j ACCEPT # allow established 
/sbin/ip6tables -A FORWARD -o tun6to4 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # allow outgoing 
/sbin/ip6tables -A FORWARD -i eth0 -o eth0 -j ACCEPT # we can talk amongst ourselves 
# I don't like the preceding rule, it combinatorially explodes with more
than 1 interface

# by default, allow my own outgoing but no incoming 
/sbin/ip6tables -A INPUT -i tun6to4 -m state --state ESTABLISHED,RELATED -j ACCEPT # no new incoming

# allow ICMP 
/sbin/ip6tables -A INPUT -p ipv6-icmp -j ACCEPT

# open my ports 
/sbin/ip6tables -A INPUT -i tun6to4 -p tcp --destination-port 80 -j ACCEPT /sbin/ip6tables -A INPUT -i tun6to4 -p tcp --destination-port 22 -j ACCEPT

# see the failures 
/sbin/ip6tables -A FORWARD -m limit --limit 15/minute -j LOG --log-level info /sbin/ip6tables -A INPUT -m limit --limit 15/minute -j LOG --log-level info

Most of your machines with IPv6 enabled will just work at this point. You may wish to give some of them static addresses so you can get to them from outside (after added a firewall rule of course). The IETF took mercy on us poor old IPv4 folk and made a syntax for using IPv4 dotted quads in IPv6 addresses so you don’t have to invent all new numbers. Like this…

iface eth0 inet static


iface eth0 inet6 static 
   address 2002:63b2:9d39:1101:: <<<< see me using my IPv4 for sanity netmask 64

… that will make the IPv6 address 2002:63b2:9d39:1101::ac11:1d6

That about does it. Someday you will get real IPv6 addresses from your ISP and need to renumber everything to add those addresses in parallel with your 6to4 addresses.

OS X will sometimes hang for 10+ seconds, frequently earning you the dread beachball. Anything that causes the program’s main thread to stop processing events will earn you a beachball, but I can suggest two:

First the easily explainable: Your hard drive might be failing. Hard drives generally fail slowly. They start detecting problematic sectors and rewrite them to good sectors and continue on their merry way. Eventually they might have to try many times to recover the data, during this time the drive is unavailable to your computer and any program that tries to access it will get a beach ball until the drive either successfully remaps the sector or gives up. Disk drives have a thing called S.M.A.R.T. which lets the computer track how the drive is failing. Do not be deceived by Disk Utility’s claims that your S.M.A.R.T. status is good. I’ve had two notebook drives failing miserably, with unrecoverable sectors (lost data) and Disk Utility was perfectly happy. Get something like Apple - Downloads - System/Disk Utilities - SMART Utility and use it. Some drives report strangely. You might have a false positive.

Second and bordering on witchcraft: If you look in your /var/log/system.log and see lines with INSERT-HANG-DETECTED you might do a tail -f /var/log/system.log and see if it correlates with your hangs. I had that on a desktop and a laptop. Now, for the strange page… Safari is tracking your web browsing and keeping images of the web sites you visit, even if you clear your caches and history. As part of Top Sites there is a directory of screen shots from web sites you visit. Not finding a GUI way to clear those, I did a rm Library/Caches/com.apple.Safari/Webpage Previews/*.png and a rm Library/Caches/com.apple.Safari/Webpage Previews/*.jpeg – on both machines my random freezes stopped. I can only posit two explanations, neither of which sounds very good. It is possible that one of the images in there is corrupt in such a way that it takes a long time to parse, and Safari parses it frequently. The other is that beyond a certain size, that directory causes terrible performance in some frequent algorithm.

Further thoughts on INSERT-QUEUE-HANG…

The error text comes from the CFNetwork framework. The question, is what is it inserting into or querying? Some sort of cache seems reasonable.

I read through the latest CFNetwork sources Apple has made available on their open source server, but these are pretty old (10.4?) and don't have these tests in them.

But at least it's a pointer.

Under Mac OS X there is a program named “security” which lets you manipulate the keychain. Its error messages are a bit useless though.

If you find yourself trying to validate a certificate and getting  Cert Verify Result: CSSMERR_TP_INVALID_CERTIFICATE as a result, it could be because the certificate has entries in the subjectAltName encoded in something other than ASN.1 IA5String. In particular, PrintableString is accepted by openssl and firefox, but not by OS X. 

When seen from Safari, these certificates will bump the browser back to the previous page, and if you look in the debug console will show: The certificate for this server is invalid. You might be connecting to a server that is pretending to be YOURHOSTNAME

There. Hopefully this bit of text and some googling will save someone else an afternoon.

Until recently, you got a single identity per credit card with your Amazon Web Services (AWS) account. It you wanted to grant limited access to your S3 storage to a program or server you were pretty much out of luck.

Now, Amazon is slowly rolling out subordinate accounts, with something they call AWS Identity and Access Management (IAM). Unfortunately for you, as of March 2011 they haven’t gotten around to making the web based management interface, so you are going to get to tour a bunch of command line programs written in Java.

  1. Go to IAM Getting Started Guide and start following steps to install Java and Amazon’s tools, then set a half dozen environment variables. (Go back and install sun-java6-jre if you are a Debian user, make sure non-free is in your apt source lists. Other Java implementations might work, I don’t know. And the right answer for JAVA_HOME is /usr in Debian)
  2. If you get a bunch of “Unable to execute HTTP request: Network is unreachable” errors, it probably means you have a partially functional IPv6 address. You can turn your IPv6 off with  echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6 ip addr del ::1128 dev lo
  3. You don’t need to mess with groups if you don’t want to. Just use… iam-usercreate -u YOURNEWUSERNAME -k -v
  4. Copy down the first two lines, that is the AWSAccessKeyId and AWSSecretKey for the new account.
  5. Copy down the third line, this is the “arn” you will use to set your access.
  6. Now it gets strangely painful. As near as I can tell, there is no way to reference your newly created User account in the “Grantee” section of the S3 management console, so you are going to have to delve into writing policies. You can use the policy generator to make an S3 Bucket policy. Use the “arn” you saved from line 3 as the “Principal”, set the privs you like, and for the “Resource” you can include a partial key with a “*” as a wildcard. Mine came out like this:
    { “Version”: “2008-10-17”, “Id”: “Policy1299041893976”, “Statement”: [ { “Sid”: “Stmt1299041882010”, “Effect”: “Allow”, “Principal”: { “AWS”: “arn:aws:iam::711941626500:user/MyUserName” }, “Action”: [ “s3:DeleteObject”, “s3:PutObject” ], “Resource”: “arn:aws:s3:::MyBucket/*” }, { “Sid”: “Stmt1299041882010”, “Effect”: “Allow”, “Principal”: { “AWS”: “arn:aws:iam::711941626500:user/MyUserName” }, “Action”: [ “s3:ListBucket” ], “Resource”: “arn:aws:s3::: MyBucket” } ] }   The first half gets me PUT and DELETE on objects. The second half gets me GET on the bucket. I don’t really need that, but boto needs it when I create the bucket object to then do my put.
  7. Apparently Amazon engineering hates developers.
  8. There is an orthogonal mechanism where you make IAM policies that grant permissions to your users. That might have made more sense, but absent a web console to view them I thought I’d go with the bucket policies.

So, there you have it. Restricted roles in your S3 account.

If you want to go straight Python, it looks like using boto is easier than wrestling Amazon's tools to the ground:

This uses those orthogonal policies I mentioned above. It disturbs me a bit because if I ask the question "Who can access this bucket?" I have to go ask all of the users, which seems wrong.

If you use Orbitz, they will sometimes tack on unwanted travel insurance. You will know this happened when you get an email from Access America with your policy. Orbitz will then pretend they can not remove it and direct you to a dysfunctional voice menu system at Access America, I suppose to try to wear you down. (There are no appropriate options, and I never could get to a human. It appears to always have “higher than expected volume”.)

Don’t let them win.

  • http://www.accessamerica.com/
  • Find the Modify/View Policy link
  • Your policy and departure date are in the email
  • They will thank you and maybe in 30 days give your money back.

Update: Refund arrived.

An January 20th iFixit published Apple’s Diabolical Plan to Screw Your iPhone about Apple’s evil pentalobular screws and their $10 kit to live with them.

As viral nerd stories go, it has everything. There is a powerful evil villain, an underdog hero, an articulate, attractive nerd (if you found the video), educational material, and a happy ending.

Let’s see how it turned out for them…

Alexa measures internet traffic with some system of taps and spies unknown to me. But you can ask it about a web site and see how their traffic fairs over time:

Google Trends will tell you how search term frequency is changing with time:

I think we can safely say that article tripled iFixit’s web traffic. It’s too soon to know the long term effects, but presumably some of those eyeballs were connected to memories that will come back when they need help repairing their devices.


alexa-ifixit.png 35389 bytes
google-ifixit.png 23111 bytes

Another key life skill in place. The video at YouTube - Scientific Tuesdays - How to Breathe Fire Safely with Corn! covers it in both more and less detail than is required.

Most important hint: Exhale!

Second most important hint: have potable water on hand.

My hairline must have seen this coming, it has been getting out of the way for years.

more articles