From the Canyon Edge -- :-Dustin

Saturday, December 21, 2013

What you need to know about Intel AMT and the Intel NUC with Ubuntu

A couple of weeks ago, I waxed glowingly about Ubuntu running on a handful of Intel NUCs that I picked up on Amazon, replacing some aging PCs serving various purposes around the house.  I have since returned all three of those, and upgraded to the i5-3427u version, since it supports Intel AMT.  Why would I do that?  Read on...
When my shiny new NUCs arrived, I was quite excited to try out this fancy new AMT feature.  In fact, I had already enabled it and experimented with it on a couple of my development i7 Thinkpads, so I more or less knew what to expect.

But what followed was 6 straight hours of complete and utter frustration :-(  Like slam your fist into the keyboard and shout obscenities into cheese.
Actually, on that last point, I find it useful, when I'm mad, to open up cheese on my desktop and get visibly angry.  Once I realize how dumb I look when I'm angry, its a bit easier to stop being angry.  Seriously, try it sometime.
Okay, so I posted a couple of support requests on Intel's community forums.

Basically, I found it nearly impossible (like 1 in 100 chances) of actually getting into the AMT configuration menu using the required Ctrl-P.  And in the 2 or 3 times I did get in there, the default password, "admin", did not work.

After putting the kids to bed, downing a few pints of homebrewed beer, and attempting sleep (with a 2-week-old in the house), I lay in bed, awake in the middle of the night and it crossed my mind that...
No, no.  No way.  That couldn't be it.  Surely not.  That's really, really dumb.  Is it possible that the NUC's BIOS...  Nah.  Maybe, though.  It's worth a try at this point?  Maybe, just maybe, the NumLock key is enabled at boot???  It can't be.  The NumLock key is effin retarded, and almost as dumb as its braindead cousin, the CapsLock key.  OMFG!!!
Yep, that was it.  Unbelievable.  The system boots with the NumLock key toggled on.  My keyboard doesn't have an LED indicator that tells me such inane nonsense is the case.  And the BIOS doesn't expose a setting to toggle this behavior.  The "P" key is one of the keys that is NumLocked to "*".

So there must be some incredibly unlikely race condition that I could win 1 in 100 times where me pressing Ctrl-P frantically enough actually sneaks me into the AMT configuration.  Seriously, Intel peeps, please make this an F-key, like the rest of the BIOS and early boot options...

And once I was there, the default password, "admin", includes two more keys that are NumLocked.  For security reasons, these look like "*****" no matter what I'm typing.  When I thought I was typing "admin", I was actually typing "ad05n".  And of course, there's no scratch pad where I can test my keyboard and see that this is the case.  In fact, I'm not the only person hitting similar issues.  It seems that most people using keyboards other than US-English are quite confused when they type "admin" over and over and over again, to their frustration.

Okay, rant over.  I posted my solution back to my own questions on the forum.  And finally started playing with AMT!

The synopsis: AMT is really, really impressive!

First, you need to enter bios and ensure that it's enabled.  Then, you need to do whatever it takes to enter Intel's MEBx interface, using Ctrl-P (NumLock notwithstanding).  You'll be prompted for a password, and on your first login, this should be "admin" (NumLock notwithstanding).  Then you'll need to choose your own strong password.  Once in there, you'll need to enable a couple of settings, including networking/dhcp auto setup.  You can, at your option, also install some TLS certificates and secure your communications with your device.

AMT has a very simple, intuitive web interface.  Here are a comprehensive set of screen shots of all of the individual pages.

Once AMT is enabled on the target system, point a browser to port 16992, and click "Log On..."

The username is always "admin".  You'll set this password in the MEBx interface, using Ctrl-P just after BIOS post.

Here's the basic system status/overview.

The System Information page contains basic information about the system itself, including some of its capabilities.

The processor information page gives you the low down on your CPU.  Search for your Intel CPU type to see all of its capabilities.

Check your memory capacity, type, speed, etc.

And your disk type, size, and serial number.

NUCs don't have battery information, but my Thinkpad does.

An event log has some interesting early boot and debug information here.

Arguably the most useful page, here you can power a system on, off, or hard reboot it.

If you have wireless capability, you choose whether you want that enabled/disabled when the system is off, suspended, or hibernated.

Here you can configure the network settings.  Unlike a BMC (Board Management Controller) on most server class hardware, which has its own dedicated interface, Intel AMT actually shares the network interface with the Operating System.

AMT actually supports IPv6 networking as well, though I haven't played with it yet.

Configure the hostname and Dynamic DNS here.

You can set up independent user accounts, if necessary.

And with a BIOS update, you can actually use Intel AMT over a wireless connection (if you have an Intel wireless card)
So this pointy/clicky web interface is nice, but not terribly scriptable (without some nasty screenscraping).  What about the command line interface?

The amttool command (provided by the amtterm package in Ubuntu) offers a nice command line interface into some of the functionality exposed by AMT.  You need to export an environment variable, AMT_PASSWORD, and then you can get some remote information about the system:

kirkland@x230:~⟫ amttool info
### AMT info on machine '' ###
AMT version:  7.1.20
Hostname:     nuc1.
Powerstate:   S0
Remote Control Capabilities:
    IanaOemNumber                   0
    OemDefinedCapabilities          IDER SOL BiosSetup BiosPause
    SpecialCommandsSupported        PXE-boot HD-boot cd-boot
    SystemCapabilitiesSupported     powercycle powerdown powerup reset
    SystemFirmwareCapabilities      f800

You can also retrieve the networking information:

kirkland@x230:~⟫ amttool netinfo
Network Interface 0:
    DhcpEnabled                     true
    HardwareAddressDescription      Wired0
    InterfaceMode                   SHARED_MAC_ADDRESS
    LinkPolicy                      31
    MACAddress                      00-aa-bb-cc-dd-ee
Network Interface 1:
    DhcpEnabled                     true
    HardwareAddressDescription      Wireless1
    InterfaceMode                   SHARED_MAC_ADDRESS
    LinkPolicy                      0
    MACAddress                      ee-ff-aa-bb-cc-dd

Far more handy than WoL alone, you can power up, power down, and power cycle the system.

kirkland@x230:~⟫ amttool powerdown
host x220., powerdown [y/N] ? y
execute: powerdown
result: pt_status: success

kirkland@x230:~⟫ amttool powerup
host x220., powerup [y/N] ? y
execute: powerup
result: pt_status: success

kirkland@x230:~⟫ amttool powercycle
host x220., powercycle [y/N] ? y
execute: powercycle
result: pt_status: success

I was a little disappointed that amttool's info command didn't provide nearly as much information as the web interface.  However, I did find a fork of Gerd Hoffman's original Perl script in Sourceforge here.  I don't know the upstream-ability of this code, but it worked very well for my part, and I'm considering sponsoring/merging it into Ubuntu for 14.04.  Anyone have further experience with these enhancements?

kirkland@x230:/tmp⟫ ./amttool hwasset data BIOS
## '' :: AMT Hardware Asset
 Data for the asset 'BIOS' (1 item):
  (data struct.ver. 1.0)
   Vendor:       'Intel Corp.'
   Version:      'RKPPT10H.86A.0028.2013.1016.1429'
   Release date: '10/16/2013'
   BIOS characteristics: 'PCI' 'BIOS upgradeable' 'BIOS shadowing
allowed' 'Boot from CD' 'Selectable boot' 'EDD spec' 'int13h 5.25 in
1.2 mb floppy' 'int13h 3.5 in 720 kb floppy' 'int13h 3.5 in 2.88 mb
floppy' 'int5h print screen services' 'int14h serial services'
'int17h printer services'

kirkland@x230:/tmp⟫ ./amttool hwasset data ComputerSystem
## '' :: AMT Hardware Asset
 Data for the asset 'ComputerSystem' (1 item):
  (data struct.ver. 1.0)
   Manufacturer: '                                 '
   Product:      '                                 '
   Version:      '                                 '
   Serial numb.: '                                 '
   UUID:         7ae34e30-44ab-41b7-988f-d98c74ab383d

kirkland@x230:/tmp⟫ ./amttool hwasset data Baseboard
## '' :: AMT Hardware Asset
 Data for the asset 'Baseboard' (1 item):
  (data struct.ver. 1.0)
   Manufacturer: 'Intel Corporation'
   Product:      'D53427RKE'
   Version:      'G87971-403'
   Serial numb.: '27XC63723G4'
   Asset tag:    'To be filled by O.E.M.'
   Replaceable:  yes

kirkland@x230:/tmp⟫ ./amttool hwasset data Processor
## '' :: AMT Hardware Asset
 Data for the asset 'Processor' (1 item):
  (data struct.ver. 1.0)
   ID:                  0x4529f9eaac0f
   Max Socket Speed:    2800 MHz
   Current Speed:       1800 MHz
   Processor Status:    Enabled
   Processor Type:      Central
   Socket Populated:    yes
   Processor family:    'Intel(R) Core(TM) i5 processor'
   Upgrade Information: [0x22]
   Socket Designation:  'CPU 1'
   Manufacturer:        'Intel(R) Corporation'
   Version:             'Intel(R) Core(TM) i5-3427U CPU @ 1.80GHz'

kirkland@x230:/tmp⟫ ./amttool hwasset data MemoryModule
## '' :: AMT Hardware Asset
 Data for the asset 'MemoryModule' (2 items):
  (* No memory device in the socket *)
  (data struct.ver. 1.0)
   Size:         8192 Mb
   Form Factor:  'SODIMM'
   Memory Type:  'DDR3'
   Memory Type Details:, 'Synchronous'
   Speed:        1333 MHz
   Manufacturer: '029E'
   Serial numb.: '123456789'
   Asset Tag:    '9876543210'
   Part Number:  'GE86sTBF5emdppj '

kirkland@x230:/tmp⟫ ./amttool hwasset data VproVerificationTable
## '' :: AMT Hardware Asset
 Data for the asset 'VproVerificationTable' (1 item):
  (data struct.ver. 1.0)
   CPU: VMX=Enabled SMX=Enabled LT/TXT=Enabled VT-x=Enabled
   MCH: PCI Bus 0x00 / Dev 0x08 / Func 0x00
        Dev Identification Number (DID): 0x0000
        Capabilities: VT-d=NOT_Capable TXT=NOT_Capable Bit_50=Enabled
Bit_52=Enabled Bit_56=Enabled
   ICH: PCI Bus 0x00 / Dev 0xf8 / Func 0x00
        Dev Identification Number (DID): 0x1e56
   ME:  Enabled
        Intel_QST_FW=NOT_Supported Intel_ASF_FW=NOT_Supported
Intel_AMT_FW=Supported Bit_13=Enabled Bit_14=Enabled Bit_15=Enabled
        ME FW ver. 8.1 hotfix 40 build 1416
   TPM: Disabled
        TPM on board = NOT_Supported
   Network Devices:
        Wired NIC - PCI Bus 0x00 / Dev 0xc8 / Func 0x00 / DID 0x1502
   BIOS supports setup screen for (can be editable): VT-d TXT
        supports VA extensions (ACPI Op region) with maximum ver. 2.6
        SPI Flash has Platform Data region reserved.

On a different note, I recently sponsored a package, wsmancli, into Ubuntu Universe for Trusty, at the request of Kent Baxley (Canonical) and Jared Dominguez (Dell), which provides the wsman command.  Jared writes more about it here in this Dell technical post.  With Kent's help, I did manage get wsman to remotely power on a system.  I must say that it's a bit less user friendly than the equivalent amttool functionality above...

kirkland@x230:~⟫  wsman invoke -a RequestPowerStateChange -J request.xml"CIM_ComputerSystem",SystemName="Intel(r)AMT",CreationClassName="CIM_PowerManagementService",Name="Intel(r) AMT Power Management Service" --port 16992 -h --username admin -p "ABC123abc123#" -V -v

I'm really enjoying the ability to remotely administer these systems.  And I'm really, really looking forward to the day when I can use MAAS to provision these systems!


Why I returned all of my i3 Intel NUCs...

and bought 3 more with the i5-3427u CPU!

A couple of weeks ago, I waxed glowingly about Ubuntu running on a handful of Intel NUCs that I picked up on Amazon, replacing some aging PCs serving various purposes around the house.  I have since returned all three of those...and upgraded to the i5 version!!!  Read on to find out why...
Whenever I publish an article here, the Blogger/G+ integration immediately posts a link to my G+ feed.  In that thread, Mark Shuttleworth asked if these NUCs supported IPMI or a similar technology, such that they could be enabled in MAAS.  I responded in kind, that, sadly, no, they only support tried-and-trusty-but-dumb-old-Wake-on-LAN.

Alas, an old friend, fellow homebrewer, and new Canonicaler, Ryan Harper, noted that the i5-3427u version of the NUC (performance specs here) actually supports Intel AMT, which is similar to IPMI.  Actually, it's an implementation of WBEM, which itself is fundamentally an implementation of the CIM standard.

That's a health dose of alphabet soup for you.  MAAS, NUC, AMT, IPMI, WEBM, CIM.  What does all of this mean?

Let's do a quick round of introductions for the uninitiated!
  • NUC - Intel's Next Unit of Computing.  It's a palm sized computer, probably intended to be a desktop, but actually functions quite well as a Linux server too.  Drawing about 10W, it's has roughly the same power of an AWS m1.xlarge, and costs about as much as 45 days of an m1.xlarge's EC2 bill.
  •  MAAS - Metal as a Service.  Installing Ubuntu servers (or desktops, for that matter), one by one, with a CD/DVD/USB-key is so 2004.  MAAS is your PXE/DHCP/TFTP/DNS (shit, more alphabet soup...) solution, all-in-one, ready to install Ubuntu onto lots of systems at scale!  Oh, and good news...  Juju supports MAAS as one of its environments, which is cool, in that you can deploy any charmed Juju workload to bare metal, in addition to AWS and OpenStack clouds.
  • AMT - Intel's Asset Management Technology.  This is a feature found on some Intel platforms (specifically, those whose CPU and motherboard support vPro technology), which enables remote management of the system.  Specifically, if you can authenticate successfully to the system, you can retrieve detailed information about the hardware, power cycle it on and off, and modify the boot sequence.  These are the essential functions that MAAS requires to support a system.
  • IPMI - Intelligent Platform Management Interface.  Also pioneered by Intel, this is a more server focused remote network management of systems, providing power on/off and other capabilities.
  • WBEM - Web Based Enterprise Management.  Remote system management technology available through a web browser, based on some internet standards, including CIM.
  • CIM - Common Information Model.  An open open standard that defines how systems in an IT environment are represented and managed.  Does that sound meta to you?  Well, yes, yes it is.
Okay, we have our what?

So I actually returned all 3 of my Intel NUCs, which had the i3 processor, in favor of the more powerful (and slightly more expensive) i5 versions.  Note that I specifically bought the i5 Ivy Bridge versions, rather than the newer i5 Haswell, because only the Ivy Bridge actually supports AMT (for reasons that I cannot explain).  In fact, in comparison to Haswell, the Ivy Bridge systems:
  1. have AMT
  2. are less expensive
  3. have a higher maximum clock speed
  4. support a higher maximum memory
The only advantage I can see of the newer Haswells is a slightly lower energy footprint, and a slightly better video processor.

When 3 of my shiny new NUCs arrived, I was quite excited to try out this fancy new AMT feature.  In fact, I had already enabled it and experimented with it on a couple of my development i7 Thinkpads, so I more or less knew what to expect.

At this point, I split this post in two.  You're welcome to read on, to learn what you need to know about Intel AMT + Ubuntu + the i5-3427u NUC...


Saturday, November 30, 2013

Its Go Time -- Kirkland 13.11 LTS Released!

AUSTIN, Texas -- Kirkland Family Life Enterprises are proud to announce the eagerly anticipated release of the second product of its generation -- Kirkland 13.11 Ultra LTS (code name: Corinne).

Chief Architect and Lead Developer Kimberly Kirkland (code name: Mommy) delivered another perfect new child process at 10:40pm on November 18th, 2013 -- four days slightly behind schedule this time.  As with previous projects, the development team labored through a very long workday, having begun the release procedures with an all-day Sprint that kicked off around 7am that morning.

Senior Product Manager and Community Coordinator Dustin Kirkland (code name: Daddy) multi-tasked a stream of procurement and support requests, and helped ensure an agile delivery.  He tagged each milestone with snapshots, offering encouragement throughout each task.  Kim and Dustin were assisted by an expert team of support engineers, Stephanie Carter (code name: Nanny) and Gerri Gros (code name: Mimi), who joined them on-site for the final QA and the initial release party.  Dustin wore an Golang Gopher t-shirt for the duration of the sprint, with Kim noting that the cute gopher face made her smile any time the going got tough.

Corinne 13.11 is an "Ultra" Long Term Support release, with first class expert support for at least 18 years.  She is already showing tremendous input/output capabilities and impressive throughput I/O performance.  A contract technician confirmed that her dual-channel stereo input is in good working order, and that her analog output volume, while still a bit inarticulate and compressed, is quite audible.  "We're so delighted to meet her!," says Kimberly, exhausted but joyful.  Kim sheds a tear, "We just couldn't be happier!"

Complete release notes do state that Corinne is currently prone to frequent, spontaneous reboots and random periods of inactivity.  Fortunately, her init and shutdown sequences are quite efficient.  Kim and Dustin shared the design responsibilities for Corinne's look and feel.  They seem to have done quite an elegant job, having achieved fine unity around her outer shell.  And she has a simply gorgeous greeter!  While they some experience at this point, Dustin and Kim were a bit out of practice and are still getting used to the young interface.  They do have quite a bit more debugging experience with various sleep states, and suspend/resume features.  Continuous integration is essential to a smooth running product!

"I'm just loving every second of uptime!" says Dustin, while dealing with an unexpected core dump on the system console.  "We've been looking forward to this package import for quite some time."

Corinne is currently in a limited-release mode, with access only granted to a few statically linked associates.   But in another 6 weeks or so, she's expected to make her first GA appearances, with a formal release party still to be held.

Corinne did meet her elder sister release, Camille, and these two will certainly be constant companions!

While Kirkland Family Life Enterprises are evolving quickly, their trajectory looks impressive, as we confirmed with Board of Directors chairmen Allen Kirkland (code name: Paw Paw) and Robert Gros (code name: Bob).  "We're just delighted with our venture investments and they continue to have our complete backing!" claims the chairmen.  Technical Advisers Donna Kirkland (code name: Gran) and Gerri Gros (code name: Mimi) said, "What an excellent team, and a fine family of products!"

Asked if there's a 3.0 update in the works, Dustin, wearing his VP Product hat, shrugged and noted that they still have plenty of development to do on their current two products.  "Let's work on maturing our 1.0 and 2.0 with stable release updates before we start talking about a whole new product line!  We're not on a time-based release schedule, so just ask me again in a year or two."


Monday, November 18, 2013

Is privacy really yours?

I'm trying desperately to hold private my opinions about the latest revelations on the ways and means of modern espionage, its targets, and rationalizations.

But I find this logic, from Congressman Mike Rogers, Chairman of the House Intelligence committee, quite dangerous...

He says, and I quote:
"You can't have your privacy violated if you don't know your privacy is violated".
While the United States laws on privacy are complicated, I feel that this is so awfully wrong :-(

Criminal voyeurism is illegal.  Date rape is illegal.  This is not a thought experiment.  If a tree falls in the forest, there is a tree on the ground irrespective of its audiology.

Comprehend Congressman Rogers' same logic applied to Rohypnol.  Or a video camera hidden in a dressing room.  These are blatant crimes, whether or not the victims are aware of the violations of their privacy.

This recent TED talk, by Mikko Hypponen, is incredibly thought provoking.  Chillingly, he quips, "Orwell was an optimist".  Yikes.  On a happier note, I'm almost positive his slides in this talk use the Ubuntu font.  Presumably he delivered this presentation in Brussells from an Ubuntu PC?


Saturday, November 16, 2013

The Juke

I do hereby nominate this move as the greatest juke in the history of the football quarterback.

November 9, 2013 at Kyle Field, Texas A&M vs. Mississippi State
For the record, Johnny Football completes a 26 yard pass on the play.  After scrambling a bit more.  Too much to fit in a single animated gif.  Wow.

Friday, November 15, 2013

Review: Ubuntu and an Intel NUC

Last week, I posed a question on Google+, looking for suggestions on a minimal physical format, x86 machine.  I was looking for something like a Raspberry Pi (of which I already have one), but really it had to be x86.

I was aware of a few options out there, but I was very fortunately introduced to one spectacular little box...the Intel NUC!

The unboxing experience is nothing short of pure marketing genius!

The "NUC" stands for Intel's Next Unit of Computing.  It's a compact little device, that ships barebones.  You need to add DDR3 memory (up to 16GB), an mSATA hard drive (if you want to boot locally), and an mSATA WiFi card (if you want wireless networking).

The physical form factor of all models is identical:

  • 4.6" x 4.4" x 1.6"
  • 11.7cm x 11.2cm x 4.1cm

There are 3 different processor options:

And there are three different peripheral setups:

  • HDMI 1.4a (x2) + USB 2.0 (x3) + Gigabit ethernet
  • HDMI 1.4a (x1) + Thunderbolt supporting DisplayPort 1.1a (x1) + USB 2.0 (x3)
  • HDMI 1.4a (x1) + Mini DisplayPort 1.1a (x2) + USB 2.0 (x2); USB 3.0 (x1)
I ended up buying 3 of these last week, and reworked my audio/video and baby monitoring setup in the house last week.  I bought 2 of these (i3 + Ethernet) , and 1 of these (i3 + Thunderbolt)

Quite simply, I couldn't be happier with these little devices!

I used one of these to replace the dedicated audio/video PC (an x201 Thinkpad) hooked up in my theater.  The x201 was a beefy machine, with plenty of CPU and video capability.  But it was pretty bulky, rather noisy, and drew too much power.

And the other two are Baby-buntu baby monitors, as previously blogged here, replacing a real piece-of-crap Lenovo Q100 (Atom + SiS307DV and all the horror maligned with that sick chip set).

All 3 are now running Ubuntu 13.10, spectacularly I might add!  All of the hardware cooperated perfectly.

Here are the two views that I really wanted Amazon to show me, as I was buying the device...what the inside looks like!  You can see two mSATA ports and red/black WiFi antenna leads on the left, and two DDR3 slots on the right.

On the left, you can now see a 24GB mSATA SSD, and beneath it (not visible) is an Intel Centrino Advanced-N 6235 WiFi adapter.  On the right, I have two 8GB DDR3 memory modules.

Note, to get wireless working properly I did have to:

echo "options iwlwifi 11n_disable=1" | sudo tee -a /etc/modprobe.d/iwlwifi.conf

The BIOS is really super fancy :-)  There's a mouse and everything.  I made a few minor tweaks, to the boot order, assigned 512MB of memory to the display adapter, and configured it to power itself back on at any power loss.

Speaking of power, it sustains about 10 watts of power, at idle, which costs me about $11/year in electricity.

Some of you might be interested in some rough disk IO statistics...

kirkland@living:~⟫ sudo hdparm -Tt /dev/sda
 Timing cached reads:   11306 MB in  2.00 seconds = 5657.65 MB/sec
 Timing buffered disk reads: 1478 MB in  3.00 seconds = 492.32 MB/sec

And the lshw output...

    description: Desktop Computer
    product: (To be filled by O.E.M.)
    width: 64 bits
    capabilities: smbios-2.7 dmi-2.7 vsyscall32
    configuration: boot=normal chassis=desktop family=To be filled by O.E.M. sku=To be filled by O.E.M. uuid=[redacted]
       description: Motherboard
       product: D33217CK
       vendor: Intel Corporation
       physical id: 0
       version: G76541-300
       serial: [redacted]
          description: BIOS
          vendor: Intel Corp.
          physical id: 0
          version: GKPPT10H.86A.0025.2012.1011.1534
          date: 10/11/2012
          size: 64KiB
          capacity: 6336KiB
          capabilities: pci upgrade shadowing cdboot bootselect socketedrom edd int13floppy1200 int13floppy720 int13floppy2880 int5printscreen int14serial int17printer acpi usb biosbootspecification uefi
             width: 32 bits
             clock: 66MHz
             capabilities: storage msi pm ahci_1.0 bus_master cap_list
             configuration: driver=ahci latency=0
             resources: irq:40 ioport:f0b0(size=8) ioport:f0a0(size=4) ioport:f090(size=8) ioport:f080(size=4) ioport:f060(size=32) memory:f6906000-f69067ff
        *-serial UNCLAIMED
             description: SMBus
             product: 7 Series/C210 Series Chipset Family SMBus Controller
             vendor: Intel Corporation
             physical id: 1f.3
             bus info: pci@0000:00:1f.3
             version: 04
             width: 64 bits
             clock: 33MHz
             configuration: latency=0
             resources: memory:f6905000-f69050ff ioport:f040(size=32)
          physical id: 1
          logical name: scsi0
          capabilities: emulated
             description: ATA Disk
             product: BP4 mSATA SSD
             physical id: 0.0.0
             bus info: scsi@0:0.0.0
             logical name: /dev/sda
             version: S8FM
             serial: [redacted]
             size: 29GiB (32GB)
             capabilities: gpt-1.00 partitioned partitioned:gpt
             configuration: ansiversion=5 guid=be0ab026-45c1-4bd5-a023-1182fe75194e sectorsize=512
                description: Windows FAT volume
                vendor: mkdosfs
                physical id: 1
                bus info: scsi@0:0.0.0,1
                logical name: /dev/sda1
                logical name: /boot/efi
                version: FAT32
                serial: 2252-bc3f
                size: 486MiB
                capacity: 486MiB
                capabilities: boot fat initialized
                configuration: FATs=2 filesystem=fat mount.fstype=vfat mount.options=rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro state=mounted
                description: EXT4 volume
                vendor: Linux
                physical id: 2
                bus info: scsi@0:0.0.0,2
                logical name: /dev/sda2
                logical name: /
                version: 1.0
                serial: [redacted]
                size: 25GiB
                capabilities: journaled extended_attributes large_files huge_files dir_nlink recover extents ext4 ext2 initialized
                configuration: created=2013-11-06 13:01:57 filesystem=ext4 lastmountpoint=/ modified=2013-11-12 15:38:33 mount.fstype=ext4 mount.options=rw,relatime,errors=remount-ro,data=ordered mounted=2013-11-12 15:38:33 state=mounted
                description: Linux swap volume
                vendor: Linux
                physical id: 3
                bus info: scsi@0:0.0.0,3
                logical name: /dev/sda3
                version: 1
                serial: [redacted]
                size: 3994MiB
                capacity: 3994MiB
                capabilities: nofs swap initialized
                configuration: filesystem=swap pagesize=4095

It also supports: virtualization technology, S3/S4/S5 sleep states, Wake-on-LAN, and PXE boot.  Sadly, it does not support IPMI :-(

Finally, it's worth noting that I bought the model with the i3 for a specific purpose...  These three machines all have full virtualization capabilities (KVM).  Which means these little boxes, with their dual-core hyper-threaded CPUs and 16GB of RAM are about to become Nova compute nodes in my local OpenStack cluster ;-)  That will be a separate blog post ;-)


Thursday, November 7, 2013

Byobu's Ubuntu Color Scheme for Manpages and Grep

I've been trying to bring Ubuntu's beautiful color palette to the command line through Byobu, starting with the command prompt, by defining a new $PS1 value.

As of Byobu 5.63 (in Trusty now, or in the Byobu PPA for other Ubuntu releases), we now have an Ubuntu theme for less, the default interface for reading manpages at a command line, as well as grep.

Double bright mode is defined to a lighter shade of Ubuntu orange, standout mode is either background Ubuntu orange or italics (depending on your terminfo), and underline mode is a lighter shade of aubergine.

Grep highlights matches in an Ubuntu orange.  A special thanks to goes to Nick Moffit for that one, who is quite proudly not a Byobu user :-)

Here are some screenshots of Gnome Terminal with a few of the default color profiles.  Enjoy!


Wednesday, October 30, 2013

My Linux Rigs

Steven Ovadia graciously invited me to participate in his collection of Linux desktops surveyed in his blog, My Linux Rig...  My answers to his interview are cross-posted on both his site and mine.  Enjoy!

1. Who are you, and what do you do?

My name is Dustin Kirkland.

I work for Mark Shuttleworth at Canonical, as a Product Manager on the Ubuntu Cloud, building enterprise solutions and server products on top of Ubuntu.  My work on open source software at Canonical often spills over into my nights and weekends, developing free software for fun as well. I have authored, and continue to maintain over two dozen open source projects, including Byobu, eCryptfs, among others.

2. Why do you use Linux?

I have been using Linux since 1997, when I was in college at Texas A&M University.  For one Computer Science class, I was "required" to buy a Zip Drive, which could hold 100MB on a special (i.e. expensive) proprietary disk cartridge.  This seemed like an absolutely awful solution to the problem of carrying data from one place to another (and Dropbox wouldn't be invented for another 11 years).

I negotiated with that professor to let me use a web server on the Internet for uploading and downloading my assignments.  So I bought a few hundred MBs from a web host in 1997.  When I received my credentials, I quickly realized that I would need an SSH client and that I would have to learn Red Hat Linux.  So I bought a book and immediately fell in love!

I used Red Hat Linux until Fedora was released, running that until 2006 when I first installed Ubuntu.  My wife was an elementary school teacher at the time, and I installed Edubuntu on a couple of perfectly-working-but-old computers that her school had basically thrown away :-(  I rescued them out of the trash, and installed Ubuntu 6.06 LTS (Dapper Drake).  Days later, I installed MythTV on Ubuntu on several machines I had throughout the house, and I was smitten.  I never really returned to Red Hat based system.  Almost everything in Ubuntu just worked, and where it didn't, there was an abundance of quality documentation.

Professionally, I worked at IBM in Tivoli and the Linux Technology Center in Austin, TX from 2000-2007, on various aspects of Linux security and certifications.  I also spent most of 2005 working for IBM on-site at Red Hat in Westford, MA, making some excellent friends and helping enable RHEL on PowerPC.  In 2008, I started working at Canonical, as one of the early developers building the Ubuntu server and virtualization platform.

We run Linux almost exclusively in the Kirkland house.  Looking at my dd-wrt router for static IP leases, I can count over 40 active Linux devices currently drawing IP addresses!  A couple of laptops (Ubuntu, ChromeOS), desktops (Ubuntu), routers (dd-wrt), TVs, PS3's, phones (Android, Ubuntu Touch), tablets (Android, Ubuntu Touch), Kindles, a Chumby, a Raspberry Pi, Synology NAS, etc.  I do have one Mac Mini running OS X, for a few apps that have no viable workaround on Linux (mostly crappy teleconference software used by Windows/Mac users).

Across the board, Linux has given me the power and flexibility I expect out of computing systems, for nearly two decades.  And what's most amazing is that it just keeps getting better!

3. What distribution do you run on your main desktop/laptop?

Ubuntu.  I am an Ubuntu Core Developer, and I tend to run the development (bleeding edge) Ubuntu Desktop and Server (in virtual machines and containers).

4. What desktop environment do you use and why do you use it?

Unity.  I use Unity mostly in the interest of dog-fooding the default Ubuntu setup.  Frankly, I have very little need of a desktop environment.  Unity works fine for me.  Though so does Gnome, KDE, XFCE, etc.

Basically, I need a browser (Chromium), an IRC client (xchat2), a terminal (gnome-terminal), and my desktop manager to stay out of my way :-)

5. What one piece of software do you depend upon with this distribution? Why is it so important?


I use Byobu all day, every day.  I usually run Byobu in a gnome-terminal, maximized on a 1920x1080 Samsung 40" LCD.  I then use splits (Shift-F2, Ctrl-F2) to carve up my terminal into smaller panes.  Some horizontal (builds or something with lots of scrolling output), some vertical (side-by-side code review), some combinations (dev + test + monitoring) -- whatever makes sense for my current task.  I use the keyboard to navigate around those splits (Shift-Up/Down/Left/Right).  Sometimes I'll create a new window (F2), if I want to background some work in a separate window, with its own splits.  If I need to SSH to a remote system, I open a new tab in gnome-terminal (Shift-Ctrl-t), and attach to a remote Byobu session, where perhaps I've left some other work running in the background.  I use Byobu's status line at the bottom to monitor what machine I'm on, it's distro and version, an updates that are available, uptime count, CPU speed and temperature, battery level, WiFi signal, system load, memory usage, hostname/IP address, and the time/date.  Byobu adds hours of productivity to my work week, every week :-)

6. What kind of hardware do you run this setup on?

I currently use a Thinkpad x230 with a dual-core hyper-threaded i7, 16GB of RAM, 240GB Intel SSD, 9-cell battery.

I absolutely love the 12" form factor, as it's nice an compact for traveling while still offering beast mode CPU/Memory.  The 9-cell battery gives me 8+ hours of up time.  I tend to replace my primary laptop on a yearly basis and sell my gently used model on CraigsList, or give it to a family member.

When I'm not traveling or working from my front/back porch, I keep it in a docking station, attached to a 40" Samsung LCD (primary monitor) and a 23" Samsung LCD (secondary monitor), a Logitech c920 web cam, Klipsch THX 2.1 speakers, gigabit Ethernet, a Simtec entropy key, a Yubikey multi-factor auth, and a Thinkpad USB keyboard.

I have used Thinkpads since about 2000, and I'm generally a pretty big fan.  I simply cannot live without "the dot".  I might consider an HP or Dell laptop sometime, but it absolutely must have a Track point, as I like to keep my fingers on the keyboard, in the home position, and still have access to the cursor.  I disable touch pads with a vengeance, and then curse the engineers who continue to embed them in laptops :-)

7. Will you share a screenshot of your desktop?

Sure.  I usually run my browser/terminal/IRC maximized in the 40" monitor on the left, and use the 23" monitor on the right only when using Skype or G+ Hangouts.  The background is just the stock Ubuntu background.  No icons on my desktop.  Ever, ever, ever.


Wednesday, October 23, 2013

Nespresso Colors Decoded! PDF Cheat Sheet Here...

Like any good programmer, I drink a lot of coffee.

And like any well-cultured techie, I particularly love espresso :-)

I've been brewing my own espresso using a Bialetti stove top coffee maker for most of two decades.  Particularly on Sunday mornings, I enjoy the deliberate process of grinding fresh beans, perfectly packing  the little filter, intently listening for the bubbly, gurgly final moments of an absolutely perfect brew.

But on work days, I just want a damn coffee :-)  Quickly.  Oh, and it's never fun cleaning a stove top espresso maker.  Not even on Sundays.

So earlier this year, I made the switch to a Nespresso Pixie.  Wow.  Perfect espressos, cappuccinos, lattes, americanos, and (my favorite) cortados, every single time.  Less than 2 minutes per cup.  And no mess :-)  At all.  Ever.

The only problem?  A classic paradox of choice!  I suppose the pods are cleverly color-coded, but with 16 different hued options, about all I can remember is that black=strong+bold, and red=decaf.  The 14 others are complete mysteries to me, and I've long since tossed the packaging material that accompanied the original variety pack.

I searched for a Nespresso flavor chart, and the closest thing I found was this flavor wheel chart.  But at 500x414 pixels, the resolution was too low to print legibly.  I couldn't find a higher resolution image anywhere.

So I brewed myself a tall latte, and recreated it from scratch in Google Docs, and I'm sharing it here with you, in as a high resolution PDF and PNG.  Print and post yours next to your vim/emacs/screen/git cheat sheet :-)

Ciao, ciao!

Wednesday, October 16, 2013

Byobu T-shirts are here!

Byobu t-shirts are here!  I just received mine in the mail today and I'm really, really pleased with the comfort and quality!

Super comfortable American Apparel® brand, made from sustainable organic cotton.  I ordered the off white, with unique green stitching, featuring the vector rendered Byobu logo and the Ubuntu font.

Though it is also available in classic hack3r black ;-)  My closet is pretty loaded with black t-shirts, so I thought I'd change it up a bit.

You can show your support for the Byobu project, if you like, by ordering a shirt here.  Thanks!


Tuesday, October 8, 2013

Going paperless means, "Email me a PDF", not "Email me your URL"

I love going paperless.  When it's done properly, anyway.

My tiny little Austin, Texas lawn service does it correctly!  Ashley emails me once a month, thanking me for my business, and attaches a PDF invoice.  And I send them an electronic check.

While Wells Fargo, the largest bank in the world, does not...  Wells Fargo sends me an email, politely informing me that it is now my responsibility to log into their customer service portal, click through 3 links and then download my latest statement.  I'm sorry, but that's crap.

The positive, "green" environmental impact, saving some paper, is lovely of course.  What I really appreciate is having my own digital archive of information, from bills to legal documents, especially when coupled with something like Google Docs, that I can use to search, anywhere, any time.

That said, I find it completely unacceptable when accounts offer/suggest/insist that you "go paperless" with them, but rather than emailing you an HTML or PDF snapshot, they instead send you a link to log into their website and view your paperless account information.

This is, frankly, a very insidious form of vendor lock-in that cloud computing has invited into our daily lives, and most of us haven't even noticed it yet.

The burden has shifted from your account managers pushing (mailing) information to you, and instead it now resides on you to pull that information from their archive regularly and archive it on your end.



Do you see the difference?

What happens when you close that account?  What happens when that entity goes out of business?  Or gets acquired?  Merges with a different entity?   Automatically expires some information as too-old-to-be-archived-any-longer?  Rolls out some completely unnecessary changes to their website interface which requires Internet Explorer? Or deprecates the archive functionality entirely?

Or worse, what happens when unethical business practices affect your personal account information and your data gets modified under you?  It's pretty trivial for a sysadmin or rogue process to update some records in a database and comprehensively regenerate millions of reports...

Many people trusted Bernie Madoff with their money...
That's right -- you may no longer have accurate access to your own account information, if you didn't download, snapshot, and back it up yourself when it was originally published.

I learned this lesson the hard way.  I recently rolled over my 401(k) from a previous employer's plan manager.  And when I did so, they terminated my online account access.  I certainly understand why, as I no longer had any funds under management.  The consequence, though, is that I immediately lost access to several years of digital statements associated with my account.  Poof.

I'm sorry, but, "Yes, I want to go paperless" means, "Email me a PDF" not, "Email me a link to your damn website once a month".

p.s. And while you're implementing that, how about sending me something machine readable, in addition to a PDF?  Oh, and please sign and encrypt that email.  I know, I know...  Techmology is hard.  I'm asking way too much...  Arg.


Tuesday, October 1, 2013

Fingerprints are Usernames, not Passwords

As one of the maintainers of eCryptfs, and a long time Thinkpad owner, I have been asked many times to add support to eCryptfs for Thinkpad's fingerprint readers.

I actually captured this as a wishlist bug in Launchpad in August 2008, but upon thinking about it a bit more, I later closed the bug "won't fix" in February 2009, and discussed in a blog post, saying:
Hi, thanks so much for the bug report.I've been thinking about this quite a bit lately. I'm going to have to mark this "won't fix" for now. The prevailing opinion from security professionals is that fingerprints are perhaps a good replacement for usernames. However, they're really not a good replacement for passwords. Consider your laptop... How many fingerprints of yours are there on your laptop right now? As such, it's about as secret as your username. You don't leave your password on your spacebar, or on your beer bottle :-) This wikipedia entry (although it's about Microsoft Fingerprint Readers) is pretty accurate: *, I'm sorry, but I don't think we'll be fixing this for now.
I'm bringing this up again to highlight the work released last week by The Chaos Computer Club, which has demonstrated how truly insecure Apple's TouchID is.

There may be civil liberties at issue as well.  While this piece is satire, and Apple says that it is not sharing your fingerprints with the government, we've been kept in the dark about such things before.  I'll leave you to draw your own conclusions on that one.

But let's just say you're okay with Apple sharing your fingerprints with the NSA, as I've already told you, they're not private at all.  You leave them on everything you touch.  And let's say you're insistent on using fingerprint (biometric) technology because you can.  In that case, your fingerprints might identify you, much as a your email address or username identifies you, perhaps from a list.

I could see some value, perhaps, in a tablet that I share with my wife, where each of us have our own accounts, with independent configurations, apps, and settings.  We could each conveniently identify ourselves by our fingerprint.  But biometrics cannot, and absolutely must not, be used to authenticate an identity.  For authentication, you need a password or passphrase.  Something that can be independently chosen, changed, and rotated.  I will continue to advocate this within the Ubuntu development community, as I have since 2009.

Once your fingerprint is compromised (and, yes, it almost certainly already is, if you've crossed an international border or registered for a driver's license in some US states and countries), how do you change it?  Are you starting to see why this is a really bad idea?

There are plenty of inventions that exist, but turned out to be bad ideas.  And I think fingerprint readers are another one of those.

This isn't a knock on Apple, as Thinkpad have embedded fingerprint readers for nearly a decade.  My intention is to help stop and think about the place of biometrics in security.  Biometrics can be use used as a lightweight, convenient mechanism to establish identity, but they cannot authenticate a person or a thing alone.

So please, if you have any  respect for the privacy your data, or your contacts' information, please don't use fingerprints (or biometrics, in general) for authentication.


Friday, September 20, 2013

Byobu Prompt Now Includes Exit Code of Previous Command and ⟫

Three changes landed in Byobu yesterday, just ahead of Ubuntu 13.10 User Interface Freeze.  These are incremental changes on the work I recently introduced with Byobu's fancy new $PS1 command prompt...

  1. The prompt now shows the previous command's exit status, if it's non-zero.  This integer is the $? exit code of the previous command.  I was sitting next to Martin Pitt in New Orleans, at the Linux Plumbers conference and immediately fell in love with this idea.  How many times have we not noticed that the previous command exited non-zero...  Never again!!!
  2. The prompt now ends with ⟫ instead of ❭.  I tested every terminal I could get my hands on in Ubuntu, including: gnome-terminal, xterm, uxterm, terminator, konsole.  It turns out that the ⟫ symbol is rendered correctly in more of these (xterm and friends) than ❭.
  3. There is also a new keybinding, Alt-F5, which toggles on and off UTF-8 support in the status bar and on the PS1.  The goal here is to provide a fix and an easy escape route when you end up in a terminal that does not properly support UTF-8 out of the box (and Byobu is not able to accurately determine this), like here and here.
Of course, you can always trivially enable and disable Byobu's prompt using:



Tuesday, September 10, 2013

Introducing run-one-constantly, run-one-until-failure and run-one-until-success

Necessity is truly the mother of invention.  I was working from the Isle of Man recently, and really, really enjoyed my stay!  There's no better description for the Isle of Man than "quaint":
adjective1. attractively unusual or old-fashioned.
"quaint country cottages"
Though that description applies to the Internet connectivity, as well :-)  Truth be told, most hotel WiFi is pretty bad.  But nestle a lovely little old hotel on a forgotten little Viking/Celtic island and you will really see the problem exacerbated.

I worked around most of my downstream issues with a couple of new extensions to the run-one project, and I'm delighted as always to share these with you in Ubuntu's package!

As a reminder, the run-one package already provides:
  • run-one COMMAND [ARGS]
    • This is a wrapper script that runs no more than one unique instance of some command with a unique set of arguments.
    • This is often useful with cronjobs, when you want no more than one copy running at a time.
  • run-this-one COMMAND [ARGS]
    • This is exactly like run-one, except that it will use pgrep and kill to find and kill any running processes owned by the user and matching the target commands and arguments.
    • Note that run-this-one will block while trying to kill matching processes, until all matching processes are dead.
    • This is often useful when you want to kill any previous copies of the process you want to run (like VPN, SSL, and SSH tunnels).
  • keep-one-running COMMAND [ARGS]
    • This command operates exactly like run-one except that it respawns the command with its arguments if it exits for any reason (zero or non-zero).
    • This is useful when you want to ensure that you always have a copy of a command or process running, in case it dies or exits for any reason.
Newly added, you can now:
  • run-one-constantly COMMAND [ARGS]
    • This is simply an alias for keep-one-running.
    • I've never liked the fact that this command started with "keep-" instead of "run-one-", from a namespace and discoverability perspective.
  • run-one-until-success COMMAND [ARGS]
    • This command operates exactly like run-one-constantly except that it respawns "COMMAND [ARGS]" until COMMAND exits successfully (ie, exits zero).
    • This is useful when downloading something, perhaps using wget --continue or rsync, over a crappy quaint hotel WiFi connection.
  • run-one-until-failure COMMAND [ARGS]
    •  This command operates exactly like run-one-constantly except that it respawns "COMMAND [ARGS]" until COMMAND exits with failure (ie, exits non-zero).
    • This is useful when you want to run something until something goes wrong.
I am occasionally asked about the difference between these tools and the nohup command...
  1. First, the "one" part of run-one-constantly is important, in that it uses run-one to protect you from running more than one instances of the specified command. This is handy for something like an ssh tunnel, that you only really want/need one of.
  2. Second, nohup doesn't rerun the specified command if it exits cleanly, or forcibly gets killed. nohup only ignores the hangup signal.
So you might say that the run-one tools are a bit more resilient than nohup.

You can use all of these as of Ubuntu 13.10 (Saucy), by simply:

sudo apt-get install run-one

Or, for older Ubuntu releases:

sudo apt-add-repository ppa:run-one/ppa
sudo apt-get update
sudo apt-get install run-one

I was also asked about the difference between these tools and upstart...

Upstart is Ubuntu's event driven replacement for sysvinit.  It's typically used to start daemons and other scripts, utilities, and "jobs" at boot time.  It has a really cool feature/command/option called respawn, which can be used to provide a very similar effect as run-one-constantly.  In fact, I've used respawn in several of the upstart jobs I've written for the Ubuntu server, so I'm happy to credit upstart's respawn for the idea.

That said, I think the differences between upstart and run-one are certainly different enough to merit both tools, at least on my servers.

  1. An upstart job is defined by its own script-like syntax.  You can see many examples in Ubuntu's /etc/init/*.conf.  On my system the average upstart job is 25 lines long.  The run-one commands are simply prepended onto the beginning of any command line program and arguments you want to run.  You can certainly use run-one and friends inside of a script, but they're typically used in an interactive shell command line.
  2. An upstart job typically runs at boot time, or when "started" using the start command, and these start jobs located in the root-writable /etc/init/.  Can a non-root user write their own upstart job, and start and stop it?  Not that I can tell (and I'm happy to be corrected here)...    Turns out I was wrong about that, per a set of recently added features to Upstart (thanks, James, and Stuart for pointing out!), non-root users can now write and run their own upstart jobs..   Still, any user on the system can launch run-one jobs, and their own command+arguments namespace is unique to them.
  3. run-one is easily usable on systems that do not have upstart available; the only hard dependency is on the flock(1) utility.
Hope that helps!

Happy running,