Cyrus IMAP log and cache settings

August 22nd, 2006 | 04:36

This is to address the case where Cyrus IMAP runs out of log memory. Documentation on how to do deal with this is scattered around on a number of web pages, so I thought I’d consolidate things in one place.

/var/log/maillog shows the following messages:

DBERROR db4: Logging region out of memory; you may need to increase its size

at first intermittently, and then filling the log after a day or two. At this point, the mail server basically stops working, as Sendmail’s LMTP delivery process cannot communicate with Cyrus.

The solution is to increase the memory available for the Berkeley DB logging region. While doing this, we might as well increase Cyrus’s caching region, as per the Cyrus performance FAQ:

Create a DB_CONFIG file along the lines of:

# cat /var/lib/imap/db/DB_CONFIG
set_cachesize 0 2097152 1
set_lg_regionmax 1048576

This sets the cachesize to 2MB in 1 segment (the weird syntax is described in the Berkeley DB docs), and sets the log region to 1MB. The compiled-in defaults for a Fedora system appears to be 648K and 96KB, respectively.

After the file is in place, stop cyrus, run “db_recover -h /var/lib/imap/db” and start cyrus as per this Cyrus discussion.

So, to get cache and log mem stats, we run:

# db_stat -m -h /var/lib/imap/db

and:

# db_stat -l -h /var/lib/imap/db

to verify that the settings are in effect.

Note that the db_stat and db_recover utilities are part of the db4-utils package. The path to the Cyrus BDB files (/var/lib/imap/db) is also the Fedora default, and may vary on different systems.

CUPS printing for a Samba-connected HP LJ 1100

August 20th, 2006 | 05:39

On Fedora Core 5, I did a relatively minimal installation (By the way, whoever set up the ISO images for the most minimal installation options I could find (and still have a system I could quickly get to work with) managed to go just over one CD by a package or two. This would have been OK if I hadn’t downloaded only the first ISO.) and need to do the following to get a Samba-connected HP LaserJet 1100 to work as a CUPS printer:

More packages (plus their dependencies):

foomatic.i386 3.0.2-33.3
ghostscript.i386 8.15.2-1.1
hpijs.i386 1:1.6.6a-1.1
hplip.i386 1.6.6a-1.1

Device URI:

smb://samba server/HPLJ1100

This specific model wasn’t in the standard list of HP printers, so I’m just using the HPCL 4/5 driver. I believe this comes with the foomatic package. The last two packages also seemed necessary, or else foomatic’s rasterize would die mysteriously when sending a test page.

Lastly, printer shares have to be turned on in smb.conf. On FC5, make sure that that the “path” parameter is set to /var/spool/samba instead of /usr/spool/samba, as it is in the example, or else Windows will get “Access is denied. Could not connect” type messages when you set up the printer. Testing access with smbclient is useful.

The Wilds

August 6th, 2006 | 10:46

As our guide pulled the bus through the Jurassic Park-lite gate and electric fencing, she said that The Wilds nature conservancy is equal in land area to all the zoos in North America combined. About 3.5 hours south of Cleveland, its 10,000 acres was donated from an American Electric Power surface mine, and houses a variety of endangered animals from Asia, Africa and North America. Grace and I went there for their “sunset tour” on our day trip yesterday.

Here’s the picture dump:




Unfortunately, The Wilds’s website doesn’t have a catalog of the animals they have, so I can’t say that these pictures are of, beyond a generic, “that’s a giraffe, that’s a rhino, that’s something with horns”. A lot of the animals are actually extinct or nearly so in their native regions; the species only live in captivity, though there’s always hope for breeding programs. In a number of cases, researchers know very little about these animals, and we were told that a species of deer surprised the wardens by swimming across a large lake.

As said, we went on the “sunset tour”. This is their “extended tour” package, but with a buffet-style dinner before hitting the trail in the open-air tour buses. The “extended tour” goes through all the animal enclosures, and has stops at some of the veternary facilities. For example, in the rhino station, we saw a very heavy gauge “hydraulic tamer” that immobilizes a rhino by pressing it between big metal bars, so that vets can, say, trim its toenails or draw blood for tests. There was a smaller, padded tamer in a different building for smaller animals. Both machines are better, safer, less stressful choices than knocking out the animal with tranquilizer darts.

One of the two male rhinos was at the rhino station that day. It’s a former zoo animal that received a lot of touching by its zookeepers, so it was docile enough to let the busload of visitors pet it through the fencing. Amusingly, after half the group touched one side, the rhino turned around so people could pet the other side. Intentional or not?

Shortly after leaving the rhino station, a couple of rhinos were too close to that zone’s gate to let the buses through. One of the handlers drove up in a jeep, got out and dumped buckets of feed a bit futher down the road, drawing the animals away from the gate. He did the same thing a few times further down the road.

The sunset tour also gives good photographic light, though that’s possibly more apparent towards the end of the tour in these pictures. The air is cooler than mid-day tours, and the animals are more willing to wander around. I think, also, that’s is feeding time, so their closer to the roads. We’re told that next year, they’ll have three species of carnivores (cheetahs and two types of wild dog; they’re all herbivores right now), so we’ll come back then, but maybe a month earlier than we did, so as to get a half-hour more light towards the end of the tour.

Hosting Services, sshfs and cryptsetup

July 24th, 2006 | 07:30

I’m moving hosting to a provider I have less control over. I don’t believe admins there will peak at my files, but the general rule of thumb is to not allow anything that is not permitted, and, since I’m using that box as a off-site backup of my local files, I want all my documents to go into an encrypted container. Only something resembling noise should be visible outside the home network.

To that end, I’m using sshfs to mount a remote directory on my local server. This is a very neat tool, that gives me most of what I’d get from NFS, without the hassle of explicitly encrypting the NFS traffic.

That mounted directory contains a big file that I’m using as my encrypted container. On the local machine, I’m using cryptsetup to open this container and run various rsync scripts against its contents. Everything seems to be working fine, and the cryptsetup and the rsync seem to be doing the right thing.

From the hosted machine’s point of view, there’s an ssh connection from my home IP, followed by a i/o against one of the files. The traffic and the contents of the file will appear to be noise. Keys never leave my local network, so there’s no real danger of a hypothetical bored admin at the hosting company sneaking a peak.

Fireworks for 2006

July 6th, 2006 | 06:28

Cleveland’s 4th of July fireworks again, from the roof of a building in the west Flats. You know, fireworks photos more or less look the same, after you’ve seen, say, a dozen or two of them. The photos also aren’t particularly good representations of what you see with the naked eye: exposure times are usually a couple of seconds, so the camera picks up light trails that you wouldn’t ordinarily perceive. Also, residual smoke clouds are repeatedly lit up by the explosions. That’s not a problem if you’re just watching, but tends to overexposure on the camera as the smoke clouds blow out the background; one hopes for wind. I didn’t even try to photograph the big finale because of the smoke.

I suppose the more interesting things is to put foreground objects in unusual perspectives, and put the fiery sky into the background. But I just have standard sky shots this year:


2006 4th of July fireworks

Niagara Falls and Toronto

July 5th, 2006 | 08:27

Grace had one last vacation day left for the academic year ending in June, and we took advantage of a post-call Friday and the vacation day on Monday to go to Niagara and Toronto. Here are the photos:


Niagara and Toronto pictures

One day, I’ll combine all this with a Google Maps route-marker, but the verbal description will have to do for now.

We headed up I-90 East late Friday morning, and got to the American side of the Falls in the late afternoon. It’s true: the American side has a somewhat run down, kitschy feel whereas the Canadian side has a more polished kitschy feel. What’s somewhat unexpected is that the Niagara river is flowing south to north at this point; for some reason, I had always thought it was a north-south flow, if only because Canada is vaguely to the north (the Panama Canal, in a bit of geographic surprise, similarly runs somewhat west to east, if you’re travelling from the Atlantic to the Pacific). We walked a bit around the observation platform just north of the Falls, and then across a bridge to the Goat Islands, took some pictures, and then headed over the bridge to a bed and breakfast in St. Catherine’s, in Ontario wine country.

The Fairview B&B is actually set in a golf course, so there are acres of green landscaping all around. Dinner that night, on recommendation of the B&B owners, was at Wellington Court in St. Catherine’s. It was one of the better meals we’ve had in a while; the food just clicked. The next day, again on recommendation of the B&B owners, we took the wine country trail, passing by the small Niagara wineries, farms and towns, rather than the isolated superhighway of the Queen Elizabeth Way. It was scenic, and didn’t add much more time to our drive to Toronto.

We stayed in downtown Toronto. There’s a Intercontinental hotel adjacent to the convention center, and we had a good AAA rate for that weekend. We went walking soon after we put our bags down, first to the St. Lawrence Market and then up to the University of Toronto before hooking west through the northern fringe of their Chinatown before winding up in a Little Italy street fair. And it was time for the World Cup match between Italy and the US! Crowds were gathered at any bar with a visible TV, mingling around the usual street fair booths. There were murmors as random things happened on the field. The final score was 1-1. Hey, we were now in Little Portugal, and Portugal vs. Iran was earlier in the day. Portugal won 2-0! And there were plenty of people milling around, wearing the national team’s uniform and cruising around with the flag fluttering from their car windows and antennas. We chatted with a random shopkeeper on how much he likes soccer.

Eventually, we wound through the crowded Chinatown, which is adjacent to Little Portugal, and eventually made our way down to the western part of King Street for dinner at Blowfish. The sushi was good, but the portions were a little smaller than I expected, and we actually went back to order another couple of rolls. I suppose I’m just used to the big American pieces, as opposed to the classically bite-sized Japanese-style pieces. Oh well.

By the evening, we wound up near the lakeshore and the lively entertainment district down there. Yes, Toronto is an order of magnitude more populous than Cleveland, but why can’t we have a similarly lively waterfront?

Interestingly, we didn’t find any free wi-fi access. Most coffeeshops in downtown offered subscription services. I later found this site; I’ll take a printout of the destination next time we go someplace unfamiliar.

The next day, we walked up Yonge street to reach the Royal Ontario Museum and the Bata Shoe Museum. The Royal Ontario combines both art museum and natural history museum, so it’s interesting for having good collections of both. Unfortunately, the museum was undergoing a massive renovation, and large sections of it was closed. The Bata Shoe Museum was small, and strangely focused on asubject I don’t think much about. It’s one of those random niche museums you find here and there. I would have also liked to have seen more functional design of, say, work shoes (e.g., the evolution of the steel toe boot), but there was a nice historical section showing the first known shoes and the cultural significance of footware in various societies. There was also the presumed money-maker galleries with the Jimmy Choos and Manolo Blahniks. At the end of the day, we did the obligatory tourist trek to the top of the CN Tower. More expensive than I would have liked, but it’s, yes, obligatory, and you get to see the whole of Toronto’s tall buildings in one view, in some sense.

We headed home on the following Monday, taking local routes once we got into the Niagara district and stopping at the tourist town of Niagara-On-the-Lake for lunch. The town is in some guidebook somewhere, as there was at least a couple busloads of Japanese tourists, and some of the stores had signs in Japanese. We took the riverside highway thereafter, passing by the Whirlpool downriver of the Falls, and stopping at the main tourist area for some pictures before heading further down to cross to the U.S. near Buffalo.

The rest of the drive home was pretty uneventful, outside of some passing thunderstorms. Just remember, the cheap gasoline is near Ashtabula.

Turks and Caicos

April 30th, 2006 | 13:50

Earlier this month, we spent a few days at Turks and Caicos, specifically at The Sands, a . This was the first time we had been to the Caribbean; we went with Grace’s friends, Aurora and Sonny.

I’m not a beach person, but Grace Bay has fantastic beaches. You know that desktop image that comes on Windows XP, with the turquoise water surrounding a deserted island? The water looked just like that. I went snorkling for the first time. I can’t really swim — I can float on my back in calm water — but this wasn’t a problem, as the waters were as calm as any swimming pool. We went on a snorkling excursion (Captain Bill’s Ocean Outback) where the reefs were in 15′ deep water, and I was fine with foam floatation around my waist. Grace said she actually had to drag me out of the water.

The food was pretty good. Our flight in was late, and most of the restaurants had closed by the time we checked into the hotel, but we had a decent late-night snack at a faux Irish pub. The following nights, we had a good meal at Aqua near Turtle marina near downtown, and a very good meal at Grace Cottage in the next condo/hotel development over east of ours. Fresh grouper is good. Conch — there’s a conch farm on Provo island — tasted like a firmer abalone and was also good.

I took a walk around downtown Providenciales while Grace, Aurora and Sonny attended Easter services. The bulk of the economic activity on the island is on the north eastern side, along Grace Bay, not in downtown, where it seemed that every other store was a car wash or hair salon. It was Easter, so most of them were closed.

We had thought of renting a car at one point, but found the Gecko Bus, which runs a circuit around the main hotels on Grace Bay and a few points of interest towards downtown, in particular the IGA supermarket, which appears to be the main grocery store on the island. Day passes for the Gecko Bus aren’t expensive, and can be bought at the hotel.

Capt. Bill’s excursion was the highlight of the trip. We had wanted to do a sea kayaking eco-tour, but all the slots were booked, and the description of the Ocean Outback tour sounded good. A taxi picked us up in the morning, and there was a certain sketchiness about the drive down to the boat. We had thought we’d be departing from the main marina on the northeast tip, but the taxi drove towards the middle of the island and south, on rough roads and past rock quarries. Capt. Bill’s boat was at a small beach at the end of a unpaved road. Our first stop were reefs near Turtle Rock, 15′ deep water, but you could see the bottom as clearly as if it were a bathtub. There were a couple reef formations near the rock, as well as a passage through the rock itself. There was also a large metal box of mysterious origins; it’d been there for decades, and had wildlife growing throughout it.

The next stop was a pirate cave. Capt. Bill put on a kitshy pirate show, mainly for the entertainment of the kids on the boat. On this pirate island, there were rock etchings carved centuries ago by bored pirate lookouts. A few of the etchings were “treasure maps”, e.g., initials underlined with a series of dots, where the line of dots indicated direction, and the number of dots indicated the distance. Another “treasure map” consisted of someone’s name, with a stylized letter in that name that pointed in a direction. Somewhere else, there’d be another pointer, and the intersection of the lines would be where the treasure is buried.

The last stop was a small, secluded beach. I think this was all on the less populated western part of the island, away from the kayakers, the para-sailers, etc. Capt. Bill put together a good barbeque on the boat while everyone relaxed on shore or in the shallow waters. At 3PM, we head back to that small beach we sailed from, though our boat might have had some engine trouble on the way; Capt. Bill was in the back, keeping the engines running, while the pilot brought us back.

Here are the photos. We had one of those disposable underwater cameras for the in-water shots. I had the Nikon with me, but was nervous about taking the camera out in the sand and saltwater, so there are probably fewer shots than there should be. Arguably, the landscape isn’t as interesting as Alaska — it’s kind of flat — so there probably were fewer good shots anyway. We tried to get sunset shots on the last evening there, but for some reason there was a plume of smoke right were the sun went down, which spoiled the shots.


Turks and Caicos pictures

Update: If you have Google Earth installed, here’s the KML file for the resort. It’s partially under clou
d cover, but you can see the various swimming pools, as well as the little shelters on the beach in the satellite p
hoto. I don’t know where the snorkling and pirate cave were. I think they’re on the western end of the island, but I don’t know for sure.

Malware and Safe Computing

February 16th, 2006 | 10:25

I’ve been doing freelance computer consulting for the past few months (not money to eat, but money to eat out), and that’s taken a fair bit of time. Here’s something I sent to one of these clients discussing viruses and other malware, and what we do about them:

How do most bugs get into the system? E-mails? If so, it might be a good idea to not allow anyone to open personal E-mails.

The term of art for this type of stuff is “malware”. Typically, you’ll see three types of malware: worms, viruses/trojans and spyware.

Worms infect computers without user intervention: computers that are already infected scan the Internet for vulnerable systems, and infect those, adding to the number of machines that are infected and scanning the Net. These are relatively easy to keep out in your situation, since all we need is one of those $50 firewall/router appliances, and machines in the outside world can’t get at the machines on the inside world, i.e., your office.

Most viruses (in common parlance; they’re more technically trojans) right now propagate by email. Infected computers churn out a lot of email, each carrying the virus. The email is typically targeted to real email addresses, e.g., the names on someone’s contact list in Microsoft Outlook. These emails probably look like they came from someone real, and will ask you to open up a file for review. Opening (and running) this file is typically how the virus program is executed so that the computer becomes infected. We can address this issue by using relatively secure mail programs, running antivirus scanners on the mail program, so the virus emails are flagged and deleted, and by training the user not to open up suspicious looking email (we need to do this because viruses sometimes propagate faster than the antivirus programs update their profile. This window is typically on the order of a few hours, but a fast-moving email virus might be able to slip through. This is rare, though.) The thing to note is that the user generally needs to perform some action to trigger the virus.

Spyware is a sort of nebulous category. They typically don’t propagate themselves, but are meant to direct your browser to specific websites, mainly to drive up referral traffic or advertisement payouts. Generally, the user would have to visit a website, and most likely would have to click on a message in a popup window to activate the spyware, which would then install on the computer and put up annoying popups, change the browser’s home page, and so on. We address this issue by using a safer web browser (Firefox instead of Internet Explorer), using software that blocks pop-ups (so that there’s less of a chance of accidentally triggering the spyware execution; Firefox has a built-in pop-up blocker), running antispyware scanners on the computer, and applying safe web browsing practices on the part of the user, i.e., don’t go to, say, porn sites, stay on mainstream websites like CNN, Google, etc. Also, depending on the firewall, you may be able to configure Internet access so that the office can only get to, say, the corporate web site, CNN, and so on, and can’t get to other places.

These are broad categories. The devil is in the details, of course, and there are occassionally viruses, for example, that may arrive by email and can be triggered merely by reading that email, without clicking on an executable. This usually requires a flaw in Windows or the mail program to happen. Updates for Windows and the various applications are released regularly, and it’s important to keep the machines up-to-date. This is fairly easy to do with WinXP, because, by default, it’s set to download updates from Microsoft’s website whenever a new security fix comes out. (I think AOL recently had an advertising campaign that tried to focus on the dangers of highspeed Internet access compared to slow dial-up access. The campaign exaggerated the dangers of highspeed access (almost all of which are mitigated by simply having a firewall/router in place) without highlighting the main danger of having a slow dial-up connection: when your download speed is so slow, you tend not to bother downloading Windows update files from Microsoft (some of the updates will take more than all night to download), so a lot of dial-up users are running vulnerable machines. Making sure your machine is up-to-date on security fixes is one of the most important ways to keep your computer safe.)

The reason Macs aren’t as vulnerable to these threats is that most of these threats are written so that they only run on Windows computers, as they rely on Windows programming structures. Modern Macs are also internally unix machines, and will tend to have very good internal protection: it’s possible for a virus to infect a Mac user, but that virus won’t be able to take over the computer and propagate itself, which greatly limits the ability of viruses to spread. I don’t believe there’s been a wide-spread Mac virus since OS X came out, and the only ones that people have seen tend more to be laboratory experiments that can’t propagate in the real world.

In a following email:

I think perhaps I’ve overemphasized technical fixes to malware in my previous email. Yes, technical fixes, like antivirus scanners, are necessary, but should not be considered sufficient. “Good computing practices” are probably more important after you put that necessary level of technical fixes in place.

“Good computing practices” boils down to using common sense and to not be overly trusting what comes in from the Internet. The most successful email viruses, for example, are what we’d call “social engineering” viruses. They can’t activate themselves, and so they try to trick the user into doing something that activates the virus. Some of the big viruses have been “I Love You”, which purports to be a note from a secret admirer, and “Nude Anna Kournikova Pics Here!”, which is self-explanatory. What they all have in common is some social hook that gets the user to open the attachment and run the virus; they would be harmless otherwise.

The following snippet of email arguably would be a self-propagating virus:

Hi, here’s a neat trick for your computer. Do the following:

1. Forward this email to all your friends

2. Open up a command prompt and type the following:

a) If you’re using Windows, type “del *.*”
b) If you’re using a Mac, type “rm -rf *”

Enjoy!

That email snippet would be a spectacularly unsuccessful virus, though in some sense not too different from the recent “Kama Sutra” virus scare a few weeks ago. (However, my email snippet would probably get through any antivirus scanner on the planet, and would work on Macs.) It’s unsuccessful because the email recipient knows enough not to follow the instructions. “Good computing practices” are just a more refined version of this common sense: if you get unsolicited email that tells you to open this attachment or run this application, don’t.

Note that it won’t matter if you’re banning personal mail or not: say, another client of your software vendor gets infected with one of these viruses, which picks the vendor’s email address to use as the “From:” and picks your email to use as the “To:”, then you’ll get a virus-laden email that looks like business email telling you to do open the attachment and run the program. “Good computing practices” would say that what you should do is following up with the vendor, and not simply run the program. If it’s a legitimate fix for some problem with their program, presumably you’ve been talking to the vendor about the problem already. But this email simply appeared out of the blue, so it probably isn’t legitimate. As said, the technical stuff is necessary and helps a great deal, but at the end of the day you’ll have to apply a mix of common sense and suspicion to what you’re receiving from the Internet. If you do that, you’ll be pretty secure, and anyone who advocates only technical fixes is either fooling themselves or is trying to sell you something.

Coffee Press

December 16th, 2005 | 08:57

Last week, I broke my second french press carafe this year. It was just a small bump against the counter, but the crack ran through the thin glass (I feel kitchen counters should be covered by a pliant rubberized mat now rather than fashionable-but-less-practical marble). Thoughts about replacements ran towards Lexan, but the overkill spiral ended up at stainless steel.

I did order one at Amazon, but I soon realized that we’d save more buying a coffee press locally than waiting a week on Amazon’s free shipping, all the while buying cups of coffee from the local grocery store. Starbuck’s actually has coffee presses, and their stainless steel model is basically the Bodum one available at Amazon, but with a rubberized handle. Also, they were having a sale, and I paid ten bucks less than if I had kept the online order. Plus, they threw in half a pound of coffee for free (I don’t know if they do this normally for buying home coffee makers, or whether it was because the one I got — the last one in the local store — was “open box”, which wasn’t much of an issue because it’s a hunk of metal rather than delicate electronics).

The dimensions of this coffee press are identical to the glass one; I can use the plunger from the old unit. Interestingly, the filter is a single piece of plastic with a bonded mesh, whereas the glass one had a stainless steel filter than you can disassemble for cleaning. The Starbuck’s manager told me that replacement filters are available for a buck once the one I have wears out. (Some of the Amazon reviewers of this press were freaked out by plastic coming in contact with hot water, which isn’t an issue with modern materials. Arguably, you should never eat out if you’re afraid of plastics coming in contact with your hot food.) The main drawback with the design of the plastic filter is that the skirt is kind of narrow, compared to the skirt on the stainless steel one. It’s possible to misalign the filter when plunging, leaving enough of a gap for coffee grounds to get through. I never had that problem with the old plunger. If it bothers us enough (and I keep forgetting to be careful of alignment), I can just use the old one.

One can argue that Starbuck’s is undermining itself by selling coffee making equipment for home use. It’s sort of true in my case: my Starbuck’s visits declined drastically once I started making coffee at home. On the other hand, Starbuck’s isn’t really selling coffee per se. It’s selling coffee that’s right there, right then, for all the people walking past it or working near it. And (most particularly in crowded places like New York), it’s selling somewhere-that’s-not-your-apartment; selling coffee, espresso and snacks is merely a way to monetize their living room away from home.

Knots

December 7th, 2005 | 10:12

MAKE blog had a link to this page on how to tie various knots: I Will Knot!, with video demonstrations of the tying process. Next time I stop by Wal-Mart or Home Depot, I’ll have to pick up some nylon rope.

A couple months ago, I stopped by the Lakewood YMCA’s taihojutsu class. One of their demonstrations was with tori tying uke up with some sort of restraint, where tori’s grip on both ends of the rope (actually a thick string for this demo) was what kept the binding in place. When tori let go one of one end, the binding progressively unravelled like magic. Kids apparently like the effect. I’m not sure what kind of knot they use for this, though.