Check out remote-vulnerability-in-firefox… It’s describes that firefox extensions hosted on a non https site are vulnerable. The vast majority of the open source/hobbyist made Firefox extensions – those that are hosted at https://addons.mozilla.org – are not vulnerable to this attack. Users of popular Firefox extensions such as NoScript, Greasemonkey, and AdBlock Plus have nothing to worry about.
Month: May 2007
Bigip : multiple virtual services running on different ports connected to one pool
Scenario
– Two application servers
– Each application server hosts different 3 services (different ports) which depend on eachother
Objective
When one of the services on a node goes down (checked by a monitor), then all services should be marked as down.
Possible Solutions
- Solution “divided” : A seperate pool for each service
The way you normally do this, yet it’s not that clean as you make the situation a bit more bloated. - Solution “combined” : One pool for all services
Use the “translate service disable” option when creating a virtual server. This will disable port translation for the specific virtual server.
Example
If the virtual port is 65001, and the port used for the poolmembers is 65101, then when a request is send to the virtual ip on port 65001, then it will be rerouted to the pool member’s port 65101.
If the “translate service” option is set to “disable”, then the request will be sent to the pool member’s port 65001.
In this case you can setup one pool, with different checks for all services the nodes should provide. And create virtual servers pointing to one single pool.
man virtual
translate service
The options are enable or disable. You can turn port translation
off for a virtual server if you want to use the virtual server to
load balance connections to any service.
Bigip : connection mirroring
Scenario
There are two loadbalancers which are setup as a redudant pair which provides a default simple virtual server (with pool).
Let’s say you’d setup a connection towards this virtual server, and afterwards there’dd be a failover.
What happens to the connection that was setup to the load balancer that was setup?
- The connection is being migrated to the other load balancer.
- The connection remains as it was, directed to the “failed” load balancer.
- The connection is terminated/reset (by the BigIP).
It might be a surprise to some, that the correct answer is the second one. The connection remains “as it was”. Off course it won’t be functional; Yet there will be no fail over of this connection by default, or will the connection be terminated/reset by the BigIP
When (and how) the connection will be reset depends solely on the client!
So one might ask: “Why doesn’t the BigIP send a fin/rst to the client?”
Another question might answer this: “How would the BigIP be able to send the fin/rst packet as it failed?” A failover occurs when the unit isn’t accessible anymore (If it got disconnected from the network, crashed… etc). It wouldn’t be able to send this packet.
There is however a mechanism that does a fail over to the other BigIP. But there is a (performance) trade off involved. This mechanism is called “connection mirroring”. So the state of all the connections made to the active BigIP are also kept on the standby BigIP.
HOWTO
You can enable the “connection mirroring” thru :
– the command line (“man virtual”) : “b virtual *name* mirror conn enable”
– the GUI (virtual server -> advanced) : GUI Screenshot
So if you REALLY need it, you can use the option, yet be aware of the performance degradation that’ll cause.
New layout!
I was tired of the “default” wordpress theme, so I’ve switched the site to “DkBlog 1.1 by Seobilgi“. A personal improvement based on style, but also on layout. The default theme removed all menu bars (and so on) when viewing a post, where this theme keeps the important things where they should be.
I’ve also extended the wordpress installlation with the “WP-Syntax” plugin. This is nicer on the code I’ve been posting. Where this plugin keeps the layout, and even does some highlighting.
The octaldump of the unix2dos / dos2unix
Let’s start out with a file we’ve created in unix (solaris). When doing an octal dump (od) of this file, we’ll see that the end-of-line (newline) is represented with an n
bash-2.03$ cat test
linetest
bash-2.03$ od -c test
0000000 l i n e t e s t n
0000011
Let’s convert this file to a DOS (windows) file:
bash-2.03$ unix2dos test test2
If we do an octaldump of this newly generated file, then we’ll see that it had a “return” and a “newline”.
bash-2.03$ cat test2
linetest
bash-2.03$ od -c test2
0000000 l i n e t e s t r n
0000012
NOTE(s):
– the unix2dos & dos2unix are eachother’s equivalents…
– the commands can be used to convert files for to be compatible for the other
My own setlock program written in oldskool C
Following on my previous post on my own setlock code;
I found out that (even after some extra versions), the bash version was simply not solid enough to be used in production. So I’ve written the code in C, where I could use the “fcntl” directly.
The objectives for writing the program, was to extent the regular “setlock” program (from Daemon Tools) to:
– a freely usable code (without Copywright), thus “our own” code
– have an “override” feature (force option)
This program is used in a small framework where it’s architecture was setup in a way where one process periodically updates data. And that this data could be accessed from time to time to be manipulated.
The code:
[my_clearcase_view]kvaes@solaris:~/setlock cat setlock-nsn.c
#include
#include
#include
#include
#include
#include
#include
int DoLock(int, int, int);
#define read_lock(LockFD)
DoLock(LockFD, F_SETLK, F_RDLCK)
#define read_wait_lock(LockFD)
DoLock(LockFD, F_SETLKW, F_RDLCK)
#define write_lock(LockFD)
DoLock(LockFD, F_SETLK, F_WRLCK)
#define write_wait_lock(LockFD)
DoLock(LockFD, F_SETLKW, F_WRLCK)
#define unlock(LockFD)
DoLock(LockFD, F_SETLK, F_UNLCK)
pid_t PidLock(int, int);
#define readlocked(LockFD)
PidLock(LockFD, F_RDLCK)
#define writelocked(LockFD)
PidLock(LockFD, F_WRLCK)
int
main ( int argc, char *argv[] ){
int LockFD;
int EXIT;
if ( argc 0 )
{
EXIT=kill(PID,SIGTERM);
if ( EXIT != 0 )
{
printf("Error while trying to kill pid $d.n", PID);
exit(errno);
}
EXIT=unlock(LockFD);
if ( EXIT != 0 )
{
printf("Error while trying to unlock.n");
exit(errno);
}
}
EXIT=write_lock(LockFD);
FOUND=1;
}
}
MATCHES = strcmp( argv[3], "read" );
if ( MATCHES == 0 )
{
TYPE=2;
MATCHES = strcmp( argv[2], "wait" );
if ( MATCHES == 0 )
{
EXIT=read_wait_lock(LockFD);
FOUND=1;
}
MATCHES = strcmp( argv[2], "nowait" );
if ( MATCHES == 0 )
{
EXIT=read_lock(LockFD);
FOUND=1;
}
MATCHES = strcmp( argv[2], "force" );
if ( MATCHES == 0 )
{
printf("The option %s cannot be used here.n", argv[2]);
exit(-1);
}
}
if ( FOUND == 0 ) {
printf("Wrong wait type entered. (%s)n", argv[2]);
EXIT=-1;
}
else
{
if ( EXIT == 0 )
{
EXIT=execute(argc,argv);
unlock(LockFD);
}
else
{
printf("Error while trying to use a %s lock.n", argv[2]);
exit(errno);
}
}
}
}
exit(EXIT);
}
int execute(int argc, char *argv[])
{
int ret = 0;
char *cmd[argc-4];
char *prog;
int i = 0;
int j = 0;
for ( i = 0; i < argc; ++i )
{
switch ( i ) {
case 0:
//executable name
break;
case 1:
//lock file
break;
case 2:
//how do we wait?
break;
case 3:
//read or write?
break;;
case 4:
prog=argv[i];
cmd[j]=argv[i];
j++;
break;
default:
cmd[j]=argv[i];
j++;
break;
}
}
cmd[j]=(char *)0;
ret = execvp(prog, cmd);
return ret;
}
pid_t PidLock(int LockFD, int type)
{
struct flock lock;
lock.l_type = type;
lock.l_start = 0;
lock.l_whence = SEEK_SET;
lock.l_len = 1;
if (fcntl(LockFD,F_GETLK,&lock) < 0)
{
perror("fcntl");
exit(1);
}
if (lock.l_type == F_UNLCK)
{
return(0);
}
return(lock.l_pid);
}
int DoLock(int LockFD, int cmd, int type)
{
struct flock lock;
lock.l_type = type;
lock.l_start = 0;
lock.l_whence = SEEK_SET;
lock.l_len = 1;
return(fcntl(LockFD, cmd, &lock));
}
Linux vs Solaris Runlevels
Linux
Solaris
Notice Runlevel 5… so don’t mix them up 😉
OpenAds: Managing ads on multiple sites
I’ve been using OpenAds for about a small month now. Where I have to tell you that it’s great! OpenAds is an Ad framework which enables you to control the ads displayed on your site kinda like an ad network (like Adsense) does.
Each ad network has it benefits, but also it’s downsides. So in most cases it’s nice to combine them. This is where OpenAds becomes a key component.
You setup a certain ad zone on your site, which you populate with content generated by the OpenAds framework. In this framework you add the banners (in which type you want!) to be shown in this zone. But you can put restrictions on the behavior of when ads should be shown.
For example:
I mainly use TradeDoubler & Adsense. TradeDoubler gives me more regional banners, but the target audience for this blog is mainly international. So I configured my OpenAds to only show the TradeDoubler banners when the browser “locale” was set to Dutch.
This is only one of the many examples where OpenAds becomes a great product to use. Try it yourself! And you’ll see that it has a great effect on your ad revenue.
my own setlock source code
I’ve added the “force” options, as I needed it for the project I’m working on.
#!/bin/bash
usage()
{
echo "usage: setlock [ -fFnN ] [ -xX ] [ -v ] [ -V ] file program [ arg ... ]"
echo " Options"
echo " -f: No delay. If fn is locked by another process, try to force ownership by trying to kill the process that has the lock."
echo " -F: No delay. If fn is locked by another process, bruteforce ownership by killing the process that has the lock (-9)."
echo " -n: No delay. If fn is locked by another process, setlock gives up."
echo " -N: (Default.) Delay. If fn is locked by another process, setlock waits until it can obtain a new lock."
echo " -x: If fn cannot be created or locked, setlock exits zero."
echo " -X: (Default.) If fn cannot be created or locked, setlock prints an error message and exits nonzero."
echo " -v: Verbose messaging"
echo " -V: Show the version"
exit 1
}
version()
{
echo "Version 0.1"
usage
}
verbose()
{
if [ "$VERBOSE" = "y" ] ; then
echo "$1"
fi
}
cleanup()
{
if [ "$SETLOCK" = "y" ] ; then
killlock
clear_lock
fi
}
trap "cleanup"
set_lock()
{
verbose "set lock"
echo $$ >> $LOCK
SETLOCK=y
}
clear_lock()
{
verbose "Clear lock"
rm $LOCK >/dev/null 2>&1
}
killlock()
{
pids=`cat $LOCK 2>/dev/null`
for pid in $pids
do
verbose "Kill $1 on process $pid"
kill $1 $pid >/dev/null 2>&1
done
}
run_command()
{
set_lock
verbose "Running command"
eval bash -c "$CMD"
RET=$?
verbose "Command done - exit value = $RET"
clear_lock
RET=$?
exit $RET
}
no_wait()
{
verbose "No waiting"
exit $EXITCODE
}
wait_nice()
{
verbose "Waiting nice"
while [ -f "$LOCK" ] ; do
sleep 1
done
run_command
}
force_kill()
{
killlock
run_command
}
force_brute()
{
killlock -9
run_command
}
FORCE=n
DELAY=y
EXITCODE=1
VERBOSE=n
OPTS=0
while getopts "f F n N x X v V" o ; do
case $o in
f) FORCE=y DELAY=n;;
F) FORCE=b DELAY=n;;
n) DELAY=n;;
N) DELAY=y;;
x) EXITCODE=0;;
X) EXITCODE=1;;
v) VERBOSE=y;;
V) version;;
esac
let OPTS=$OPTS+1
done
if [ $# -lt 2 ] ; then
verbose "Not enough parameters given"
usage
fi
APTS=0
while [ $APTS -lt $OPTS ] ; do
shift
let APTS=$APTS+1
done
LOCK=$1
shift
CMD=$*
if [ -z "$LOCK" ] ; then
verbose "No lockfile given"
usage
fi
if [ -z "$CMD" ] ; then
verbose "No command given"
usage
fi
if [ -f "$LOCK" ] ; then
if [ "$DELAY" = "y" ] ; then
wait_nice
else
case "$FORCE" in
"n") no_wait;;
"y") force_kill;;
"b") force_brute;;
*) exit 99;;
esac
fi
else
run_command
fi
Feel free to use it, yet I’m publishing it here under the GPL license
bash : locking issues – example with setlock
Something that kept me busy for a while. An internal (bash) framework sometimes (Isn’t that great! -sigh-) gave unexpected results. Sometimes the timings were too long, and sometimes data was missing. In the end, it was due to a locking issue. A program tried to execute something while forcing an internal lock. Yet the program was waiting until the lock was released. But when in some cases when two programs do this, this causes a deadlock.
The code below is a way to get around this deadlock. It’s an example using “setlock”, yet it shows the concept. Instead of waiting for the program to release the lock (default behaviour with “setlock”), you can script a small loop that comes back after a few seconds. Yet you have to setup the locking mechanism in a manner that it won’t wait for the lock (option -n for “setlock”).
SUME="bash -c "
SETLOCK="path-to-setlock"
EXECUTE="your-script"
PARAMETERS="your-parameters"
ID="your-unique-id-for-locking"
# usage of a control structure with non-wait locking
# this is done to avoid locking issues ^^
var0=0
LIMIT=3
SNOOZE=5
while [ "$var0" -lt "$LIMIT" ]
do
var0=`expr $var0 + 1`
eval $SUME "$SETLOCK -n $TMPDIR/lock_$ID $EXECUTE $PARAMETERS 2>/dev/null " 2>/dev/null
EC=$?
if [ $EC -eq 0 ] ; then
var0=`expr $LIMIT + 1`
else
sleep $SNOOZE
fi
done
exit $EC
Karim Vaes 
