- <title>Recipe to test the Freedombox project on amd64 or Raspberry Pi</title>
- <link>http://people.skolelinux.org/pere/blog/Recipe_to_test_the_Freedombox_project_on_amd64_or_Raspberry_Pi.html</link>
- <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/Recipe_to_test_the_Freedombox_project_on_amd64_or_Raspberry_Pi.html</guid>
- <pubDate>Tue, 10 Sep 2013 14:20:00 +0200</pubDate>
- <description><p>I was introduced to the
-<a href="http://www.freedomboxfoundation.org/">Freedombox project</a>
-in 2010, when Eben Moglen presented his vision about serving the need
-of non-technical people to keep their personal information private and
-within the legal protection of their own homes. The idea is to give
-people back the power over their network and machines, and return
-Internet back to its intended peer-to-peer architecture. Instead of
-depending on a central service, the Freedombox will give everyone
-control over their own basic infrastructure.</p>
-
-<p>I've intended to join the effort since then, but other tasks have
-taken priority. But this summers nasty news about the misuse of trust
-and privilege exercised by the "western" intelligence gathering
-communities increased my eagerness to contribute to a point where I
-actually started working on the project a while back.</p>
-
-<p>The <a href="https://alioth.debian.org/projects/freedombox/">initial
-Debian initiative</a> based on the vision from Eben Moglen, is to
-create a simple and cheap Debian based appliance that anyone can hook
-up in their home and get access to secure and private services and
-communication. The initial deployment platform have been the
-<a href="http://www.globalscaletechnologies.com/t-dreamplugdetails.aspx">Dreamplug</a>,
-which is a piece of hardware I do not own. So to be able to test what
-the current Freedombox setup, I had to come up with a way to install
-it on some hardware I do got access to. I have rewritten the
-<a href="https://github.com/NickDaly/freedom-maker">freedom-maker</a>
-image build framework to use .deb packages instead of only copying
-setup into the boot images, and thanks to this rewrite I am able to
-set up any machine supported by Debian Wheezy as a Freedombox, using
-the previously mentioned deb (and a few support debs for packages
-missing in Debian).</p>
-
-<p>The current Freedombox setup consist of a set of bootstrapping
-scripts
-(<a href="https://github.com/petterreinholdtsen/freedombox-setup">freedombox-setup</a>),
-and a administrative web interface
-(<a href="https://github.com/NickDaly/Plinth">plinth</a> + exmachina +
-withsqlite), as well as a privacy enhancing proxy based on
-<a href="http://packages.qa.debian.org/privoxy">privoxy</a>
-(freedombox-privoxy). There is also a web/javascript based XMPP
-client (<a href="http://packages.qa.debian.org/jwchat">jwchat</a>)
-trying (unsuccessfully so far) to talk to the XMPP server
-(<a href="http://packages.qa.debian.org/ejabberd">ejabberd</a>). The
-web interface is pluggable, and the goal is to use it to enable OpenID
-services, mesh network connectivity, use of TOR, etc, etc. Not much of
-this is really working yet, see
-<a href="https://github.com/NickDaly/freedombox-todos/blob/master/TODO">the
-project TODO</a> for links to GIT repositories. Most of the code is
-on github at the moment. The HTTP proxy is operational out of the
-box, and the admin web interface can be used to add/remove plinth
-users. I've not been able to do anything else with it so far, but
-know there are several branches spread around github and other places
-with lots of half baked features.</p>
-
-<p>Anyway, if you want to have a look at the current stat, the
-following recipes should work to give you a test machine to poke
-at.</p>
-
-<p><strong>Debian Wheezy amd64</strong></p>
-
-<ol>
-
-<li>Fetch normal Debian Wheezy installation ISO.</li>
-<li>Boot from it, either as CD or USB stick.</li>
-<li><p>Press [tab] on the boot prompt and add this as a boot argument
-to the Debian installer:<p>
-<pre>url=<a href="http://www.reinholdtsen.name/freedombox/preseed-wheezy.dat">http://www.reinholdtsen.name/freedombox/preseed-wheezy.dat</a></pre></li>
-
-<li>Answer the few language/region/password questions and pick disk to
-install on.</li>
-
-<li>When the installation is finished and the machine have rebooted a
-few times, your Freedombox is ready for testing.</li>
-
-</ol>
-
-<p><strong>Raspberry Pi Raspbian</strong></p>
-
-<ol>
-
-<li>Fetch a Raspbian SD card image, create SD card.</li>
-<li>Boot from SD card, extend file system to fill the card completely.</li>
-<li><p>Log in and add this to /etc/sources.list:</p>
-<pre>
-deb <a href="http://www.reinholdtsen.name/freedombox/">http://www.reinholdtsen.name/freedombox</a> wheezy main
-</pre></li>
-<li><p>Run this as root:</p>
-<pre>
-wget -O - http://www.reinholdtsen.name/freedombox/BE1A583D.asc | \
- apt-key add -
-apt-get update
-apt-get install freedombox-setup
-/usr/lib/freedombox/setup
-</pre></li>
-<li>Reboot into your freshly created Freedombox.</li>
-
-</ol>
-
-<p>You can test it on other architectures too, but because the
-freedombox-privoxy package is binary, it will only work as intended on
-the architectures where I have had time to build the binary and put it
-in my APT repository. But do not let this stop you. It is only a
-short "<tt>apt-get source -b freedombox-privoxy</tt>" away. :)</p>
-
-<p>Note that by default Freedombox is a DHCP server on the
-192.168.1.0/24 subnet, so if this is your subnet be careful and turn
-off the DHCP server by running "<tt>update-rc.d isc-dhcp-server
-disable</tt>" as root.</p>
-
-<p>Please let me know if this work for you, or if you have any
-problems. We gather on the IRC channel
-<a href="irc://irc.debian.org:6667/%23freedombox">#freedombox</a> on
-irc.debian.org and the
-<a href="http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss">project
-mailing list</a>.</p>
-
-<p>Once you get your freedombox operational, you can visit
-<tt>http://your-host-name:8001/</tt> to see the state of the plint
-welcome screen (dead end - do not be surprised if you are unable to
-get past it), and next visit <tt>http://your-host-name:8001/help/</tt>
-to look at the rest of plinth. The default user is 'admin' and the
-default password is 'secret'.</p>
+ <title>S3QL, a locally mounted cloud file system - nice free software</title>
+ <link>http://people.skolelinux.org/pere/blog/S3QL__a_locally_mounted_cloud_file_system___nice_free_software.html</link>
+ <guid isPermaLink="true">http://people.skolelinux.org/pere/blog/S3QL__a_locally_mounted_cloud_file_system___nice_free_software.html</guid>
+ <pubDate>Wed, 9 Apr 2014 11:30:00 +0200</pubDate>
+ <description><p>For a while now, I have been looking for a sensible offsite backup
+solution for use at home. My requirements are simple, it must be
+cheap and locally encrypted (in other words, I keep the encryption
+keys, the storage provider do not have access to my private files).
+One idea me and my friends had many years ago, before the cloud
+storage providers showed up, was to use Google mail as storage,
+writing a Linux block device storing blocks as emails in the mail
+service provided by Google, and thus get heaps of free space. On top
+of this one can add encryption, RAID and volume management to have
+lots of (fairly slow, I admit that) cheap and encrypted storage. But
+I never found time to implement such system. But the last few weeks I
+have looked at a system called
+<a href="https://bitbucket.org/nikratio/s3ql/">S3QL</a>, a locally
+mounted network backed file system with the features I need.</p>
+
+<p>S3QL is a fuse file system with a local cache and cloud storage,
+handling several different storage providers, any with Amazon S3,
+Google Drive or OpenStack API. There are heaps of such storage
+providers. S3QL can also use a local directory as storage, which
+combined with sshfs allow for file storage on any ssh server. S3QL
+include support for encryption, compression, de-duplication, snapshots
+and immutable file systems, allowing me to mount the remote storage as
+a local mount point, look at and use the files as if they were local,
+while the content is stored in the cloud as well. This allow me to
+have a backup that should survive fire. The file system can not be
+shared between several machines at the same time, as only one can
+mount it at the time, but any machine with the encryption key and
+access to the storage service can mount it if it is unmounted.</p>
+
+<p>It is simple to use. I'm using it on Debian Wheezy, where the
+package is included already. So to get started, run <tt>apt-get
+install s3ql</tt>. Next, pick a storage provider. I ended up picking
+Greenqloud, after reading their nice recipe on
+<a href="https://greenqloud.zendesk.com/entries/44611757-How-To-Use-S3QL-to-mount-a-StorageQloud-bucket-on-Debian-Wheezy">how
+to use S3QL with their Amazon S3 service</a>, because I trust the laws
+in Iceland more than those in USA when it come to keeping my personal
+data safe and private, and thus would rather spend money on a company
+in Iceland. Another nice recipe is available from the article
+<a href="http://www.admin-magazine.com/HPC/Articles/HPC-Cloud-Storage">S3QL
+Filesystem for HPC Storage</a> by Jeff Layton in the HPC section of
+Admin magazine. When the provider is picked, figure out how to get
+the API key needed to connect to the storage API. With Greencloud,
+the key did not show up until I had added payment details to my
+account.</p>
+
+<p>Armed with the API access details, it is time to create the file
+system. First, create a new bucket in the cloud. This bucket is the
+file system storage area. I picked a bucket name reflecting the
+machine that was going to store data there, but any name will do.
+I'll refer to it as <tt>bucket-name</tt> below. In addition, one need
+the API login and password, and a locally created password. Store it
+all in ~root/.s3ql/authinfo2 like this:
+
+<p><blockquote><pre>
+[s3c]
+storage-url: s3c://s.greenqloud.com:443/bucket-name
+backend-login: API-login
+backend-password: API-password
+fs-passphrase: local-password
+</pre></blockquote></p>
+
+<p>I create my local passphrase using <tt>pwget 50</tt> or similar,
+but any sensible way to create a fairly random password should do it.
+Armed with these details, it is now time to run mkfs, entering the API
+details and password to create it:</p>
+
+<p><blockquote><pre>
+# mkdir -m 700 /var/lib/s3ql-cache
+# mkfs.s3ql --cachedir /var/lib/s3ql-cache --authfile /root/.s3ql/authinfo2 \
+ --ssl s3c://s.greenqloud.com:443/bucket-name
+Enter backend login:
+Enter backend password:
+Before using S3QL, make sure to read the user's guide, especially
+the 'Important Rules to Avoid Loosing Data' section.
+Enter encryption password:
+Confirm encryption password:
+Generating random encryption key...
+Creating metadata tables...
+Dumping metadata...
+..objects..
+..blocks..
+..inodes..
+..inode_blocks..
+..symlink_targets..
+..names..
+..contents..
+..ext_attributes..
+Compressing and uploading metadata...
+Wrote 0.00 MB of compressed metadata.
+# </pre></blockquote></p>
+
+<p>The next step is mounting the file system to make the storage available.
+
+<p><blockquote><pre>
+# mount.s3ql --cachedir /var/lib/s3ql-cache --authfile /root/.s3ql/authinfo2 \
+ --ssl --allow-root s3c://s.greenqloud.com:443/bucket-name /s3ql
+Using 4 upload threads.
+Downloading and decompressing metadata...
+Reading metadata...
+..objects..
+..blocks..
+..inodes..
+..inode_blocks..
+..symlink_targets..
+..names..
+..contents..
+..ext_attributes..
+Mounting filesystem...
+# df -h /s3ql
+Filesystem Size Used Avail Use% Mounted on
+s3c://s.greenqloud.com:443/bucket-name 1.0T 0 1.0T 0% /s3ql
+#
+</pre></blockquote></p>
+
+<p>The file system is now ready for use. I use rsync to store my
+backups in it, and as the metadata used by rsync is downloaded at
+mount time, no network traffic (and storage cost) is triggered by
+running rsync. To unmount, one should not use the normal umount
+command, as this will not flush the cache to the cloud storage, but
+instead running the umount.s3ql command like this:
+
+<p><blockquote><pre>
+# umount.s3ql /s3ql
+#
+</pre></blockquote></p>
+
+<p>There is a fsck command available to check the file system and
+correct any problems detected. This can be used if the local server
+crashes while the file system is mounted, to reset the "already
+mounted" flag. This is what it look like when processing a working
+file system:</p>
+
+<p><blockquote><pre>
+# fsck.s3ql --force --ssl s3c://s.greenqloud.com:443/bucket-name
+Using cached metadata.
+File system seems clean, checking anyway.
+Checking DB integrity...
+Creating temporary extra indices...
+Checking lost+found...
+Checking cached objects...
+Checking names (refcounts)...
+Checking contents (names)...
+Checking contents (inodes)...
+Checking contents (parent inodes)...
+Checking objects (reference counts)...
+Checking objects (backend)...
+..processed 5000 objects so far..
+..processed 10000 objects so far..
+..processed 15000 objects so far..
+Checking objects (sizes)...
+Checking blocks (referenced objects)...
+Checking blocks (refcounts)...
+Checking inode-block mapping (blocks)...
+Checking inode-block mapping (inodes)...
+Checking inodes (refcounts)...
+Checking inodes (sizes)...
+Checking extended attributes (names)...
+Checking extended attributes (inodes)...
+Checking symlinks (inodes)...
+Checking directory reachability...
+Checking unix conventions...
+Checking referential integrity...
+Dropping temporary indices...
+Backing up old metadata...
+Dumping metadata...
+..objects..
+..blocks..
+..inodes..
+..inode_blocks..
+..symlink_targets..
+..names..
+..contents..
+..ext_attributes..
+Compressing and uploading metadata...
+Wrote 0.89 MB of compressed metadata.
+#
+</pre></blockquote></p>
+
+<p>Thanks to the cache, working on files that fit in the cache is very
+quick, about the same speed as local file access. Uploading large
+amount of data is to me limited by the bandwidth out of and into my
+house. Uploading 685 MiB with a 100 MiB cache gave me 305 kiB/s,
+which is very close to my upload speed, and downloading the same
+Debian installation ISO gave me 610 kiB/s, close to my download speed.
+Both were measured using <tt>dd</tt>. So for me, the bottleneck is my
+network, not the file system code. I do not know what a good cache
+size would be, but suspect that the cache should e larger than your
+working set.</p>
+
+<p>I mentioned that only one machine can mount the file system at the
+time. If another machine try, it is told that the file system is
+busy:</p>
+
+<p><blockquote><pre>
+# mount.s3ql --cachedir /var/lib/s3ql-cache --authfile /root/.s3ql/authinfo2 \
+ --ssl --allow-root s3c://s.greenqloud.com:443/bucket-name /s3ql
+Using 8 upload threads.
+Backend reports that fs is still mounted elsewhere, aborting.
+#
+</pre></blockquote></p>
+
+<p>The file content is uploaded when the cache is full, while the
+metadata is uploaded once every 24 hour by default. To ensure the
+file system content is flushed to the cloud, one can either umount the
+file system, or ask S3QL to flush the cache and metadata using
+s3qlctrl:
+
+<p><blockquote><pre>
+# s3qlctrl upload-meta /s3ql
+# s3qlctrl flushcache /s3ql
+#
+</pre></blockquote></p>
+
+<p>If you are curious about how much space your data uses in the
+cloud, and how much compression and deduplication cut down on the
+storage usage, you can use s3qlstat on the mounted file system to get
+a report:</p>
+
+<p><blockquote><pre>
+# s3qlstat /s3ql
+Directory entries: 9141
+Inodes: 9143
+Data blocks: 8851
+Total data size: 22049.38 MB
+After de-duplication: 21955.46 MB (99.57% of total)
+After compression: 21877.28 MB (99.22% of total, 99.64% of de-duplicated)
+Database size: 2.39 MB (uncompressed)
+(some values do not take into account not-yet-uploaded dirty blocks in cache)
+#
+</pre></blockquote></p>
+
+<p>I mentioned earlier that there are several possible suppliers of
+storage. I did not try to locate them all, but am aware of at least
+<a href="https://www.greenqloud.com/">Greenqloud</a>,
+<a href="http://drive.google.com/">Google Drive</a>,
+<a href="http://aws.amazon.com/s3/">Amazon S3 web serivces</a>,
+<a href="http://www.rackspace.com/">Rackspace</a> and
+<a href="http://crowncloud.net/">Crowncloud</A>. The latter even
+accept payment in Bitcoin. Pick one that suit your need. Some of
+them provide several GiB of free storage, but the prize models are
+quite different and you will have to figure out what suits you
+best.</p>
+
+<p>While researching this blog post, I had a look at research papers
+and posters discussing the S3QL file system. There are several, which
+told me that the file system is getting a critical check by the
+science community and increased my confidence in using it. One nice
+poster is titled
+"<a href="http://www.lanl.gov/orgs/adtsc/publications/science_highlights_2013/docs/pg68_69.pdf">An
+Innovative Parallel Cloud Storage System using OpenStack’s SwiftObject
+Store and Transformative Parallel I/O Approach</a>" by Hsing-Bung
+Chen, Benjamin McClelland, David Sherrill, Alfred Torrez, Parks Fields
+and Pamela Smith. Please have a look.</p>
+
+<p>Given my problems with different file systems earlier, I decided to
+check out the mounted S3QL file system to see if it would be usable as
+a home directory (in other word, that it provided POSIX semantics when
+it come to locking and umask handling etc). Running
+<a href="http://people.skolelinux.org/pere/blog/Testing_if_a_file_system_can_be_used_for_home_directories___.html">my
+test code to check file system semantics</a>, I was happy to discover that
+no error was found. So the file system can be used for home
+directories, if one chooses to do so.</p>
+
+<p>If you do not want a locally file system, and want something that
+work without the Linux fuse file system, I would like to mention the
+<a href="http://www.tarsnap.com/">Tarsnap service</a>, which also
+provide locally encrypted backup using a command line client. It have
+a nicer access control system, where one can split out read and write
+access, allowing some systems to write to the backup and others to
+only read from it.</p>
+
+<p>As usual, if you use Bitcoin and want to show your support of my
+activities, please send Bitcoin donations to my address
+<b><a href="bitcoin:15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b&label=PetterReinholdtsenBlog">15oWEoG9dUPovwmUL9KWAnYRtNJEkP1u1b</a></b>.</p>
projects / homepage.git / blobdiff