1 <?xml version=
"1.0" encoding=
"utf-8"?>
2 <rss version='
2.0' xmlns:lj='http://www.livejournal.org/rss/lj/
1.0/' xmlns:
atom=
"http://www.w3.org/2005/Atom">
4 <title>Petter Reinholdtsen
</title>
5 <description></description>
6 <link>http://people.skolelinux.org/pere/blog/
</link>
7 <atom:link href=
"http://people.skolelinux.org/pere/blog/index.rss" rel=
"self" type=
"application/rss+xml" />
10 <title>Release
0.1.1 of free software archive system Nikita announced
</title>
11 <link>http://people.skolelinux.org/pere/blog/Release_0_1_1_of_free_software_archive_system_Nikita_announced.html
</link>
12 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Release_0_1_1_of_free_software_archive_system_Nikita_announced.html
</guid>
13 <pubDate>Sat,
10 Jun
2017 00:
40:
00 +
0200</pubDate>
14 <description><p
>I am very happy to report that the
15 <a href=
"https://github.com/hiOA-ABI/nikita-noark5-core
">Nikita Noark
5
16 core project
</a
> tagged its second release today. The free software
17 solution is an implementation of the Norwegian archive standard Noark
18 5 used by government offices in Norway. These were the changes in
19 version
0.1.1 since version
0.1.0 (from NEWS.md):
23 <li
>Continued work on the angularjs GUI, including document upload.
</li
>
24 <li
>Implemented correspondencepartPerson, correspondencepartUnit and
25 correspondencepartInternal
</li
>
26 <li
>Applied for coverity coverage and started submitting code on
27 regualr basis.
</li
>
28 <li
>Started fixing bugs reported by coverity
</li
>
29 <li
>Corrected and completed HATEOAS links to make sure entire API is
30 available via URLs in _links.
</li
>
31 <li
>Corrected all relation URLs to use trailing slash.
</li
>
32 <li
>Add initial support for storing data in ElasticSearch.
</li
>
33 <li
>Now able to receive and store uploaded files in the archive.
</li
>
34 <li
>Changed JSON output for object lists to have relations in _links.
</li
>
35 <li
>Improve JSON output for empty object lists.
</li
>
36 <li
>Now uses correct MIME type application/vnd.noark5-v4+json.
</li
>
37 <li
>Added support for docker container images.
</li
>
38 <li
>Added simple API browser implemented in JavaScript/Angular.
</li
>
39 <li
>Started on archive client implemented in JavaScript/Angular.
</li
>
40 <li
>Started on prototype to show the public mail journal.
</li
>
41 <li
>Improved performance by disabling Sprint FileWatcher.
</li
>
42 <li
>Added support for
'arkivskaper
',
'saksmappe
' and
'journalpost
'.
</li
>
43 <li
>Added support for some metadata codelists.
</li
>
44 <li
>Added support for Cross-origin resource sharing (CORS).
</li
>
45 <li
>Changed login method from Basic Auth to JSON Web Token (RFC
7519)
47 <li
>Added support for GET-ing ny-* URLs.
</li
>
48 <li
>Added support for modifying entities using PUT and eTag.
</li
>
49 <li
>Added support for returning XML output on request.
</li
>
50 <li
>Removed support for English field and class names, limiting ourself
51 to the official names.
</li
>
52 <li
>...
</li
>
56 <p
>If this sound interesting to you, please contact us on IRC (#nikita
57 on irc.freenode.net) or email
58 (
<a href=
"https://lists.nuug.no/mailman/listinfo/nikita-noark
">nikita-noark
59 mailing list).
</p
>
64 <title>Idea for storing trusted timestamps in a Noark
5 archive
</title>
65 <link>http://people.skolelinux.org/pere/blog/Idea_for_storing_trusted_timestamps_in_a_Noark_5_archive.html
</link>
66 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Idea_for_storing_trusted_timestamps_in_a_Noark_5_archive.html
</guid>
67 <pubDate>Wed,
7 Jun
2017 21:
40:
00 +
0200</pubDate>
68 <description><p
><em
>This is a copy of
69 <a href=
"https://lists.nuug.no/pipermail/nikita-noark/
2017-June/
000297.html
">an
70 email I posted to the nikita-noark mailing list
</a
>. Please follow up
71 there if you would like to discuss this topic. The background is that
72 we are making a free software archive system based on the Norwegian
73 <a href=
"https://www.arkivverket.no/forvaltning-og-utvikling/regelverk-og-standarder/noark-standarden
">Noark
74 5 standard
</a
> for government archives.
</em
></p
>
76 <p
>I
've been wondering a bit lately how trusted timestamps could be
78 <a href=
"https://en.wikipedia.org/wiki/Trusted_timestamping
">Trusted
79 timestamps
</a
> can be used to verify that some information
80 (document/file/checksum/metadata) have not been changed since a
81 specific time in the past. This is useful to verify the integrity of
82 the documents in the archive.
</p
>
84 <p
>Then it occured to me, perhaps the trusted timestamps could be
85 stored as dokument variants (ie dokumentobjekt referered to from
86 dokumentbeskrivelse) with the filename set to the hash it is
89 <p
>Given a
"dokumentbeskrivelse
" with an associated
"dokumentobjekt
",
90 a new dokumentobjekt is associated with
"dokumentbeskrivelse
" with the
91 same attributes as the stamped dokumentobjekt except these
96 <li
>format -
> "RFC3161
"
97 <li
>mimeType -
> "application/timestamp-reply
"
98 <li
>formatDetaljer -
> "&lt;source URL for timestamp service
&gt;
"
99 <li
>filenavn -
> "&lt;sjekksum
&gt;.tsr
"
103 <p
>This assume a service following
104 <a href=
"https://tools.ietf.org/html/rfc3161
">IETF RFC
3161</a
> is
105 used, which specifiy the given MIME type for replies and the .tsr file
106 ending for the content of such trusted timestamp. As far as I can
107 tell from the Noark
5 specifications, it is OK to have several
108 variants/renderings of a dokument attached to a given
109 dokumentbeskrivelse objekt. It might be stretching it a bit to make
110 some of these variants represent crypto-signatures useful for
111 verifying the document integrity instead of representing the dokument
114 <p
>Using the source of the service in formatDetaljer allow several
115 timestamping services to be used. This is useful to spread the risk
116 of key compromise over several organisations. It would only be a
117 problem to trust the timestamps if all of the organisations are
118 compromised.
</p
>
120 <p
>The following oneliner on Linux can be used to generate the tsr
121 file. $input is the path to the file to checksum, and $sha256 is the
122 SHA-
256 checksum of the file (ie the
"<sjekksum
>.tsr
" value mentioned
125 <p
><blockquote
><pre
>
126 openssl ts -query -data
"$inputfile
" -cert -sha256 -no_nonce \
127 | curl -s -H
"Content-Type: application/timestamp-query
" \
128 --data-binary
"@-
" http://zeitstempel.dfn.de
> $sha256.tsr
129 </pre
></blockquote
></p
>
131 <p
>To verify the timestamp, you first need to download the public key
132 of the trusted timestamp service, for example using this command:
</p
>
134 <p
><blockquote
><pre
>
135 wget -O ca-cert.txt \
136 https://pki.pca.dfn.de/global-services-ca/pub/cacert/chain.txt
137 </pre
></blockquote
></p
>
139 <p
>Note, the public key should be stored alongside the timestamps in
140 the archive to make sure it is also available
100 years from now. It
141 is probably a good idea to standardise how and were to store such
142 public keys, to make it easier to find for those trying to verify
143 documents
100 or
1000 years from now. :)
</p
>
145 <p
>The verification itself is a simple openssl command:
</p
>
147 <p
><blockquote
><pre
>
148 openssl ts -verify -data $inputfile -in $sha256.tsr \
149 -CAfile ca-cert.txt -text
150 </pre
></blockquote
></p
>
152 <p
>Is there any reason this approach would not work? Is it somehow against
153 the Noark
5 specification?
</p
>
158 <title>Når nynorskoversettelsen svikter til eksamen...
</title>
159 <link>http://people.skolelinux.org/pere/blog/N_r_nynorskoversettelsen_svikter_til_eksamen___.html
</link>
160 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/N_r_nynorskoversettelsen_svikter_til_eksamen___.html
</guid>
161 <pubDate>Sat,
3 Jun
2017 08:
20:
00 +
0200</pubDate>
162 <description><p
><a href=
"http://www.aftenposten.no/norge/Krever-at-elever-ma-fa-annullert-eksamen-etter-rot-med-oppgavetekster-
622459b.html
">Aftenposten
163 melder i dag
</a
> om feil i eksamensoppgavene for eksamen i politikk og
164 menneskerettigheter, der teksten i bokmåls og nynorskutgaven ikke var
165 like. Oppgaveteksten er gjengitt i artikkelen, og jeg ble nysgjerring
166 på om den fri oversetterløsningen
167 <a href=
"https://www.apertium.org/
">Apertium
</a
> ville gjort en bedre
168 jobb enn Utdanningsdirektoratet. Det kan se slik ut.
</p
>
170 <p
>Her er bokmålsoppgaven fra eksamenen:
</p
>
173 <p
>Drøft utfordringene knyttet til nasjonalstatenes og andre aktørers
174 rolle og muligheter til å håndtere internasjonale utfordringer, som
175 for eksempel flykningekrisen.
</p
>
177 <p
>Vedlegge er eksempler på tekster som kan gi relevante perspektiver
180 <li
>Flykningeregnskapet
2016, UNHCR og IDMC
181 <li
>«Grenseløst Europa for fall» A-Magasinet,
26. november
2015
186 <p
>Dette oversetter Apertium slik:
</p
>
189 <p
>Drøft utfordringane knytte til nasjonalstatane sine og rolla til
190 andre aktørar og høve til å handtera internasjonale utfordringar, som
191 til dømes *flykningekrisen.
</p
>
193 <p
>Vedleggja er døme på tekster som kan gje relevante perspektiv på
197 <li
>*Flykningeregnskapet
2016, *UNHCR og *IDMC
</li
>
198 <li
>«*Grenseløst Europa for fall» A-Magasinet,
26. november
2015</li
>
203 <p
>Ord som ikke ble forstått er markert med stjerne (*), og trenger
204 ekstra språksjekk. Men ingen ord er forsvunnet, slik det var i
205 oppgaven elevene fikk presentert på eksamen. Jeg mistenker dog at
206 "andre aktørers rolle og muligheter til ...
" burde vært oversatt til
207 "rolla til andre aktørar og deira høve til ...
" eller noe slikt, men
208 det er kanskje flisespikking. Det understreker vel bare at det alltid
209 trengs korrekturlesning etter automatisk oversettelse.
</p
>
214 <title>Epost inn som arkivformat i Riksarkivarens forskrift?
</title>
215 <link>http://people.skolelinux.org/pere/blog/Epost_inn_som_arkivformat_i_Riksarkivarens_forskrift_.html
</link>
216 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Epost_inn_som_arkivformat_i_Riksarkivarens_forskrift_.html
</guid>
217 <pubDate>Thu,
27 Apr
2017 11:
30:
00 +
0200</pubDate>
218 <description><p
>I disse dager, med frist
1. mai, har Riksarkivaren ute en høring på
219 sin forskrift. Som en kan se er det ikke mye tid igjen før fristen
220 som går ut på søndag. Denne forskriften er det som lister opp hvilke
221 formater det er greit å arkivere i
222 <a href=
"http://www.arkivverket.no/arkivverket/Offentleg-forvalting/Noark/Noark-
5">Noark
223 5-løsninger
</a
> i Norge.
</p
>
225 <p
>Jeg fant høringsdokumentene hos
226 <a href=
"https://www.arkivrad.no/aktuelt/riksarkivarens-forskrift-pa-horing
">Norsk
227 Arkivråd
</a
> etter å ha blitt tipset på epostlisten til
228 <a href=
"https://github.com/hiOA-ABI/nikita-noark5-core
">fri
229 programvareprosjektet Nikita Noark5-Core
</a
>, som lager et Noark
5
230 Tjenestegresesnitt. Jeg er involvert i Nikita-prosjektet og takket
231 være min interesse for tjenestegrensesnittsprosjektet har jeg lest en
232 god del Noark
5-relaterte dokumenter, og til min overraskelse oppdaget
233 at standard epost ikke er på listen over godkjente formater som kan
234 arkiveres. Høringen med frist søndag er en glimrende mulighet til å
235 forsøke å gjøre noe med det. Jeg holder på med
236 <a href=
"https://github.com/petterreinholdtsen/noark5-tester/blob/master/docs/hoering-arkivforskrift.tex
">egen
237 høringsuttalelse
</a
>, og lurer på om andre er interessert i å støtte
238 forslaget om å tillate arkivering av epost som epost i arkivet.
</p
>
240 <p
>Er du igang med å skrive egen høringsuttalelse allerede? I så fall
241 kan du jo vurdere å ta med en formulering om epost-lagring. Jeg tror
242 ikke det trengs så mye. Her et kort forslag til tekst:
</p
>
244 <p
><blockquote
>
246 <p
>Viser til høring sendt ut
2017-
02-
17 (Riksarkivarens referanse
247 2016/
9840 HELHJO), og tillater oss å sende inn noen innspill om
248 revisjon av Forskrift om utfyllende tekniske og arkivfaglige
249 bestemmelser om behandling av offentlige arkiver (Riksarkivarens
250 forskrift).
</p
>
252 <p
>Svært mye av vår kommuikasjon foregår i dag på e-post. Vi
253 foreslår derfor at Internett-e-post, slik det er beskrevet i IETF
255 <a href=
"https://tools.ietf.org/html/rfc5322
">https://tools.ietf.org/html/rfc5322
</a
>. bør
256 inn som godkjent dokumentformat. Vi foreslår at forskriftens
257 oversikt over godkjente dokumentformater ved innlevering i §
5-
16
258 endres til å ta med Internett-e-post.
</p
>
260 </blockquote
></p
>
262 <p
>Som del av arbeidet med tjenestegrensesnitt har vi testet hvordan
263 epost kan lagres i en Noark
5-struktur, og holder på å skrive et
264 forslag om hvordan dette kan gjøres som vil bli sendt over til
265 arkivverket så snart det er ferdig. De som er interesserte kan
266 <a href=
"https://github.com/petterreinholdtsen/noark5-tester/blob/master/docs/epostlagring.md
">følge
267 fremdriften på web
</a
>.
</p
>
269 <p
>Oppdatering
2017-
04-
28: I dag ble høringuttalelsen jeg skrev
270 <a href=
"https://www.nuug.no/news/NUUGs_h_ringuttalelse_til_Riksarkivarens_forskrift.shtml
">sendt
271 inn av foreningen NUUG
</a
>.
</p
>
276 <title>Offentlig elektronisk postjournal blokkerer tilgang for utvalgte webklienter
</title>
277 <link>http://people.skolelinux.org/pere/blog/Offentlig_elektronisk_postjournal_blokkerer_tilgang_for_utvalgte_webklienter.html
</link>
278 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Offentlig_elektronisk_postjournal_blokkerer_tilgang_for_utvalgte_webklienter.html
</guid>
279 <pubDate>Thu,
20 Apr
2017 13:
00:
00 +
0200</pubDate>
280 <description><p
>Jeg oppdaget i dag at
<a href=
"https://www.oep.no/
">nettstedet som
281 publiserer offentlige postjournaler fra statlige etater
</a
>, OEP, har
282 begynt å blokkerer enkelte typer webklienter fra å få tilgang. Vet
283 ikke hvor mange det gjelder, men det gjelder i hvert fall libwww-perl
284 og curl. For å teste selv, kjør følgende:
</p
>
286 <blockquote
><pre
>
287 % curl -v -s https://www.oep.no/pub/report.xhtml?reportId=
3 2>&1 |grep
'< HTTP
'
288 < HTTP/
1.1 404 Not Found
289 % curl -v -s --header
'User-Agent:Opera/
12.0' https://www.oep.no/pub/report.xhtml?reportId=
3 2>&1 |grep
'< HTTP
'
292 </pre
></blockquote
>
294 <p
>Her kan en se at tjenesten gir «
404 Not Found» for curl i
295 standardoppsettet, mens den gir «
200 OK» hvis curl hevder å være Opera
296 versjon
12.0. Offentlig elektronisk postjournal startet blokkeringen
297 2017-
03-
02.
</p
>
299 <p
>Blokkeringen vil gjøre det litt vanskeligere å maskinelt hente
300 informasjon fra oep.no. Kan blokkeringen være gjort for å hindre
301 automatisert innsamling av informasjon fra OEP, slik Pressens
302 Offentlighetsutvalg gjorde for å dokumentere hvordan departementene
304 <a href=
"http://presse.no/dette-mener-np/undergraver-offentlighetsloven/
">rapporten
305 «Slik hindrer departementer innsyn» som ble publiserte i januar
306 2017</a
>. Det virker usannsynlig, da det jo er trivielt å bytte
307 User-Agent til noe nytt.
</p
>
309 <p
>Finnes det juridisk grunnlag for det offentlige å diskriminere
310 webklienter slik det gjøres her? Der tilgang gis eller ikke alt etter
311 hva klienten sier at den heter? Da OEP eies av DIFI og driftes av
312 Basefarm, finnes det kanskje noen dokumenter sendt mellom disse to
313 aktørene man kan be om innsyn i for å forstå hva som har skjedd. Men
314 <a href=
"https://www.oep.no/search/result.html?period=dateRange
&fromDate=
01.01.2016&toDate=
01.04.2017&dateType=documentDate
&caseDescription=
&descType=both
&caseNumber=
&documentNumber=
&sender=basefarm
&senderType=both
&documentType=all
&legalAuthority=
&archiveCode=
&list2=
196&searchType=advanced
&Search=Search+in+records
">postjournalen
315 til DIFI viser kun to dokumenter
</a
> det siste året mellom DIFI og
317 <a href=
"https://www.mimesbronn.no/request/blokkering_av_tilgang_til_oep_fo
">Mimes brønn neste
</a
>,
318 tenker jeg.
</p
>
323 <title>Free software archive system Nikita now able to store documents
</title>
324 <link>http://people.skolelinux.org/pere/blog/Free_software_archive_system_Nikita_now_able_to_store_documents.html
</link>
325 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Free_software_archive_system_Nikita_now_able_to_store_documents.html
</guid>
326 <pubDate>Sun,
19 Mar
2017 08:
00:
00 +
0100</pubDate>
327 <description><p
>The
<a href=
"https://github.com/hiOA-ABI/nikita-noark5-core
">Nikita
328 Noark
5 core project
</a
> is implementing the Norwegian standard for
329 keeping an electronic archive of government documents.
330 <a href=
"http://www.arkivverket.no/arkivverket/Offentlig-forvaltning/Noark/Noark-
5/English-version
">The
331 Noark
5 standard
</a
> document the requirement for data systems used by
332 the archives in the Norwegian government, and the Noark
5 web interface
333 specification document a REST web service for storing, searching and
334 retrieving documents and metadata in such archive. I
've been involved
335 in the project since a few weeks before Christmas, when the Norwegian
337 <a href=
"https://www.nuug.no/news/NOARK5_kjerne_som_fri_programvare_f_r_epostliste_hos_NUUG.shtml
">announced
338 it supported the project
</a
>. I believe this is an important project,
339 and hope it can make it possible for the government archives in the
340 future to use free software to keep the archives we citizens depend
341 on. But as I do not hold such archive myself, personally my first use
342 case is to store and analyse public mail journal metadata published
343 from the government. I find it useful to have a clear use case in
344 mind when developing, to make sure the system scratches one of my
347 <p
>If you would like to help make sure there is a free software
348 alternatives for the archives, please join our IRC channel
349 (
<a href=
"irc://irc.freenode.net/%
23nikita
"">#nikita on
350 irc.freenode.net
</a
>) and
351 <a href=
"https://lists.nuug.no/mailman/listinfo/nikita-noark
">the
352 project mailing list
</a
>.
</p
>
354 <p
>When I got involved, the web service could store metadata about
355 documents. But a few weeks ago, a new milestone was reached when it
356 became possible to store full text documents too. Yesterday, I
357 completed an implementation of a command line tool
358 <tt
>archive-pdf
</tt
> to upload a PDF file to the archive using this
359 API. The tool is very simple at the moment, and find existing
360 <a href=
"https://en.wikipedia.org/wiki/Fonds
">fonds
</a
>, series and
361 files while asking the user to select which one to use if more than
362 one exist. Once a file is identified, the PDF is associated with the
363 file and uploaded, using the title extracted from the PDF itself. The
364 process is fairly similar to visiting the archive, opening a cabinet,
365 locating a file and storing a piece of paper in the archive. Here is
366 a test run directly after populating the database with test data using
367 our API tester:
</p
>
369 <p
><blockquote
><pre
>
370 ~/src//noark5-tester$ ./archive-pdf mangelmelding/mangler.pdf
371 using arkiv: Title of the test fonds created
2017-
03-
18T23:
49:
32.103446
372 using arkivdel: Title of the test series created
2017-
03-
18T23:
49:
32.103446
374 0 - Title of the test case file created
2017-
03-
18T23:
49:
32.103446
375 1 - Title of the test file created
2017-
03-
18T23:
49:
32.103446
376 Select which mappe you want (or search term):
0
377 Uploading mangelmelding/mangler.pdf
378 PDF title: Mangler i spesifikasjonsdokumentet for NOARK
5 Tjenestegrensesnitt
379 File
2017/
1: Title of the test case file created
2017-
03-
18T23:
49:
32.103446
380 ~/src//noark5-tester$
381 </pre
></blockquote
></p
>
383 <p
>You can see here how the fonds (arkiv) and serie (arkivdel) only had
384 one option, while the user need to choose which file (mappe) to use
385 among the two created by the API tester. The
<tt
>archive-pdf
</tt
>
386 tool can be found in the git repository for the API tester.
</p
>
388 <p
>In the project, I have been mostly working on
389 <a href=
"https://github.com/petterreinholdtsen/noark5-tester
">the API
390 tester
</a
> so far, while getting to know the code base. The API
392 <a href=
"https://en.wikipedia.org/wiki/HATEOAS
">the HATEOAS links
</a
>
393 to traverse the entire exposed service API and verify that the exposed
394 operations and objects match the specification, as well as trying to
395 create objects holding metadata and uploading a simple XML file to
396 store. The tester has proved very useful for finding flaws in our
397 implementation, as well as flaws in the reference site and the
398 specification.
</p
>
400 <p
>The test document I uploaded is a summary of all the specification
401 defects we have collected so far while implementing the web service.
402 There are several unclear and conflicting parts of the specification,
404 <a href=
"https://github.com/petterreinholdtsen/noark5-tester/tree/master/mangelmelding
">started
405 writing down
</a
> the questions we get from implementing it. We use a
406 format inspired by how
<a href=
"http://www.opengroup.org/austin/
">The
407 Austin Group
</a
> collect defect reports for the POSIX standard with
408 <a href=
"http://www.opengroup.org/austin/mantis.html
">their
409 instructions for the MANTIS defect tracker system
</a
>, in lack of an official way to structure defect reports for Noark
5 (our first submitted defect report was a
<a href=
"https://github.com/petterreinholdtsen/noark5-tester/blob/master/mangelmelding/sendt/
2017-
03-
15-mangel-prosess.md
">request for a procedure for submitting defect reports
</a
> :).
411 <p
>The Nikita project is implemented using Java and Spring, and is
412 fairly easy to get up and running using Docker containers for those
413 that want to test the current code base. The API tester is
414 implemented in Python.
</p
>
419 <title>Detecting NFS hangs on Linux without hanging yourself...
</title>
420 <link>http://people.skolelinux.org/pere/blog/Detecting_NFS_hangs_on_Linux_without_hanging_yourself___.html
</link>
421 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Detecting_NFS_hangs_on_Linux_without_hanging_yourself___.html
</guid>
422 <pubDate>Thu,
9 Mar
2017 15:
20:
00 +
0100</pubDate>
423 <description><p
>Over the years, administrating thousand of NFS mounting linux
424 computers at the time, I often needed a way to detect if the machine
425 was experiencing NFS hang. If you try to use
<tt
>df
</tt
> or look at a
426 file or directory affected by the hang, the process (and possibly the
427 shell) will hang too. So you want to be able to detect this without
428 risking the detection process getting stuck too. It has not been
429 obvious how to do this. When the hang has lasted a while, it is
430 possible to find messages like these in dmesg:
</p
>
432 <p
><blockquote
>
433 nfs: server nfsserver not responding, still trying
434 <br
>nfs: server nfsserver OK
435 </blockquote
></p
>
437 <p
>It is hard to know if the hang is still going on, and it is hard to
438 be sure looking in dmesg is going to work. If there are lots of other
439 messages in dmesg the lines might have rotated out of site before they
440 are noticed.
</p
>
442 <p
>While reading through the nfs client implementation in linux kernel
443 code, I came across some statistics that seem to give a way to detect
444 it. The om_timeouts sunrpc value in the kernel will increase every
445 time the above log entry is inserted into dmesg. And after digging a
446 bit further, I discovered that this value show up in
447 /proc/self/mountstats on Linux.
</p
>
449 <p
>The mountstats content seem to be shared between files using the
450 same file system context, so it is enough to check one of the
451 mountstats files to get the state of the mount point for the machine.
452 I assume this will not show lazy umounted NFS points, nor NFS mount
453 points in a different process context (ie with a different filesystem
454 view), but that does not worry me.
</p
>
456 <p
>The content for a NFS mount point look similar to this:
</p
>
458 <p
><blockquote
><pre
>
460 device /dev/mapper/Debian-var mounted on /var with fstype ext3
461 device nfsserver:/mnt/nfsserver/home0 mounted on /mnt/nfsserver/home0 with fstype nfs statvers=
1.1
462 opts: rw,vers=
3,rsize=
65536,wsize=
65536,namlen=
255,acregmin=
3,acregmax=
60,acdirmin=
30,acdirmax=
60,soft,nolock,proto=tcp,timeo=
600,retrans=
2,sec=sys,mountaddr=
129.240.3.145,mountvers=
3,mountport=
4048,mountproto=udp,local_lock=all
464 caps: caps=
0x3fe7,wtmult=
4096,dtsize=
8192,bsize=
0,namlen=
255
465 sec: flavor=
1,pseudoflavor=
1
466 events:
61063112 732346265 1028140 35486205 16220064 8162542 761447191 71714012 37189 3891185 45561809 110486139 4850138 420353 15449177 296502 52736725 13523379 0 52182 9016896 1231 0 0 0 0 0
467 bytes:
166253035039 219519120027 0 0 40783504807 185466229638 11677877 45561809
468 RPC iostats version:
1.0 p/v:
100003/
3 (nfs)
469 xprt: tcp
925 1 6810 0 0 111505412 111480497 109 2672418560317 0 248 53869103 22481820
471 NULL:
0 0 0 0 0 0 0 0
472 GETATTR:
61063106 61063108 0 9621383060 6839064400 453650 77291321 78926132
473 SETATTR:
463469 463470 0 92005440 66739536 63787 603235 687943
474 LOOKUP:
17021657 17021657 0 3354097764 4013442928 57216 35125459 35566511
475 ACCESS:
14281703 14290009 5 2318400592 1713803640 1709282 4865144 7130140
476 READLINK:
125 125 0 20472 18620 0 1112 1118
477 READ:
4214236 4214237 0 715608524 41328653212 89884 22622768 22806693
478 WRITE:
8479010 8494376 22 187695798568 1356087148 178264904 51506907 231671771
479 CREATE:
171708 171708 0 38084748 46702272 873 1041833 1050398
480 MKDIR:
3680 3680 0 773980 993920 26 23990 24245
481 SYMLINK:
903 903 0 233428 245488 6 5865 5917
482 MKNOD:
80 80 0 20148 21760 0 299 304
483 REMOVE:
429921 429921 0 79796004 61908192 3313 2710416 2741636
484 RMDIR:
3367 3367 0 645112 484848 22 5782 6002
485 RENAME:
466201 466201 0 130026184 121212260 7075 5935207 5961288
486 LINK:
289155 289155 0 72775556 67083960 2199 2565060 2585579
487 READDIR:
2933237 2933237 0 516506204 13973833412 10385 3190199 3297917
488 READDIRPLUS:
1652839 1652839 0 298640972 6895997744 84735 14307895 14448937
489 FSSTAT:
6144 6144 0 1010516 1032192 51 9654 10022
490 FSINFO:
2 2 0 232 328 0 1 1
491 PATHCONF:
1 1 0 116 140 0 0 0
492 COMMIT:
0 0 0 0 0 0 0 0
494 device binfmt_misc mounted on /proc/sys/fs/binfmt_misc with fstype binfmt_misc
496 </pre
></blockquote
></p
>
498 <p
>The key number to look at is the third number in the per-op list.
499 It is the number of NFS timeouts experiences per file system
500 operation. Here
22 write timeouts and
5 access timeouts. If these
501 numbers are increasing, I believe the machine is experiencing NFS
502 hang. Unfortunately the timeout value do not start to increase right
503 away. The NFS operations need to time out first, and this can take a
504 while. The exact timeout value depend on the setup. For example the
505 defaults for TCP and UDP mount points are quite different, and the
506 timeout value is affected by the soft, hard, timeo and retrans NFS
507 mount options.
</p
>
509 <p
>The only way I have been able to get working on Debian and RedHat
510 Enterprise Linux for getting the timeout count is to peek in /proc/.
512 <ahref=
"http://docs.oracle.com/cd/E19253-
01/
816-
4555/netmonitor-
12/index.html
">Solaris
513 10 System Administration Guide: Network Services
</a
>, the
'nfsstat -c
'
514 command can be used to get these timeout values. But this do not work
515 on Linux, as far as I can tell. I
516 <ahref=
"http://bugs.debian.org/
857043">asked Debian about this
</a
>,
517 but have not seen any replies yet.
</p
>
519 <p
>Is there a better way to figure out if a Linux NFS client is
520 experiencing NFS hangs? Is there a way to detect which processes are
521 affected? Is there a way to get the NFS mount going quickly once the
522 network problem causing the NFS hang has been cleared? I would very
523 much welcome some clues, as we regularly run into NFS hangs.
</p
>
528 <title>How does it feel to be wiretapped, when you should be doing the wiretapping...
</title>
529 <link>http://people.skolelinux.org/pere/blog/How_does_it_feel_to_be_wiretapped__when_you_should_be_doing_the_wiretapping___.html
</link>
530 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/How_does_it_feel_to_be_wiretapped__when_you_should_be_doing_the_wiretapping___.html
</guid>
531 <pubDate>Wed,
8 Mar
2017 11:
50:
00 +
0100</pubDate>
532 <description><p
>So the new president in the United States of America claim to be
533 surprised to discover that he was wiretapped during the election
534 before he was elected president. He even claim this must be illegal.
535 Well, doh, if it is one thing the confirmations from Snowden
536 documented, it is that the entire population in USA is wiretapped, one
537 way or another. Of course the president candidates were wiretapped,
538 alongside the senators, judges and the rest of the people in USA.
</p
>
540 <p
>Next, the Federal Bureau of Investigation ask the Department of
541 Justice to go public rejecting the claims that Donald Trump was
542 wiretapped illegally. I fail to see the relevance, given that I am
543 sure the surveillance industry in USA believe they have all the legal
544 backing they need to conduct mass surveillance on the entire
547 <p
>There is even the director of the FBI stating that he never saw an
548 order requesting wiretapping of Donald Trump. That is not very
549 surprising, given how the FISA court work, with all its activity being
550 secret. Perhaps he only heard about it?
</p
>
552 <p
>What I find most sad in this story is how Norwegian journalists
553 present it. In a news reports the other day in the radio from the
554 Norwegian National broadcasting Company (NRK), I heard the journalist
555 claim that
'the FBI denies any wiretapping
', while the reality is that
556 'the FBI denies any illegal wiretapping
'. There is a fundamental and
557 important difference, and it make me sad that the journalists are
558 unable to grasp it.
</p
>
560 <p
><strong
>Update
2017-
03-
13:
</strong
> Look like
561 <a href=
"https://theintercept.com/
2017/
03/
13/rand-paul-is-right-nsa-routinely-monitors-americans-communications-without-warrants/
">The
562 Intercept report that US Senator Rand Paul confirm what I state above
</a
>.
</p
>
567 <title>Norwegian Bokmål translation of The Debian Administrator
's Handbook complete, proofreading in progress
</title>
568 <link>http://people.skolelinux.org/pere/blog/Norwegian_Bokm_l_translation_of_The_Debian_Administrator_s_Handbook_complete__proofreading_in_progress.html
</link>
569 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Norwegian_Bokm_l_translation_of_The_Debian_Administrator_s_Handbook_complete__proofreading_in_progress.html
</guid>
570 <pubDate>Fri,
3 Mar
2017 14:
50:
00 +
0100</pubDate>
571 <description><p
>For almost a year now, we have been working on making a Norwegian
572 Bokmål edition of
<a href=
"https://debian-handbook.info/
">The Debian
573 Administrator
's Handbook
</a
>. Now, thanks to the tireless effort of
574 Ole-Erik, Ingrid and Andreas, the initial translation is complete, and
575 we are working on the proof reading to ensure consistent language and
576 use of correct computer science terms. The plan is to make the book
577 available on paper, as well as in electronic form. For that to
578 happen, the proof reading must be completed and all the figures need
579 to be translated. If you want to help out, get in touch.
</p
>
581 <p
><a href=
"http://people.skolelinux.org/pere/debian-handbook/debian-handbook-nb-NO.pdf
">A
583 fresh PDF edition
</a
> in A4 format (the final book will have smaller
584 pages) of the book created every morning is available for
585 proofreading. If you find any errors, please
586 <a href=
"https://hosted.weblate.org/projects/debian-handbook/
">visit
587 Weblate and correct the error
</a
>. The
588 <a href=
"http://l.github.io/debian-handbook/stat/nb-NO/index.html
">state
589 of the translation including figures
</a
> is a useful source for those
590 provide Norwegian bokmål screen shots and figures.
</p
>
595 <title>Unlimited randomness with the ChaosKey?
</title>
596 <link>http://people.skolelinux.org/pere/blog/Unlimited_randomness_with_the_ChaosKey_.html
</link>
597 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Unlimited_randomness_with_the_ChaosKey_.html
</guid>
598 <pubDate>Wed,
1 Mar
2017 20:
50:
00 +
0100</pubDate>
599 <description><p
>A few days ago I ordered a small batch of
600 <a href=
"http://altusmetrum.org/ChaosKey/
">the ChaosKey
</a
>, a small
601 USB dongle for generating entropy created by Bdale Garbee and Keith
602 Packard. Yesterday it arrived, and I am very happy to report that it
603 work great! According to its designers, to get it to work out of the
604 box, you need the Linux kernel version
4.1 or later. I tested on a
605 Debian Stretch machine (kernel version
4.9), and there it worked just
606 fine, increasing the available entropy very quickly. I wrote a small
607 test oneliner to test. It first print the current entropy level,
608 drain /dev/random, and then print the entropy level for five seconds.
609 Here is the situation without the ChaosKey inserted:
</p
>
611 <blockquote
><pre
>
612 % cat /proc/sys/kernel/random/entropy_avail; \
613 dd bs=
1M if=/dev/random of=/dev/null count=
1; \
614 for n in $(seq
1 5); do \
615 cat /proc/sys/kernel/random/entropy_avail; \
621 28 byte kopiert,
0,
000264565 s,
106 kB/s
628 </pre
></blockquote
>
630 <p
>The entropy level increases by
3-
4 every second. In such case any
631 application requiring random bits (like a HTTPS enabled web server)
632 will halt and wait for more entrpy. And here is the situation with
633 the ChaosKey inserted:
</p
>
635 <blockquote
><pre
>
636 % cat /proc/sys/kernel/random/entropy_avail; \
637 dd bs=
1M if=/dev/random of=/dev/null count=
1; \
638 for n in $(seq
1 5); do \
639 cat /proc/sys/kernel/random/entropy_avail; \
645 104 byte kopiert,
0,
000487647 s,
213 kB/s
652 </pre
></blockquote
>
654 <p
>Quite the difference. :) I bought a few more than I need, in case
655 someone want to buy one here in Norway. :)
</p
>
657 <p
>Update: The dongle was presented at Debconf last year. You might
658 find
<a href=
"https://debconf16.debconf.org/talks/
94/
">the talk
659 recording illuminating
</a
>. It explains exactly what the source of
660 randomness is, if you are unable to spot it from the schema drawing
661 available from the ChaosKey web site linked at the start of this blog
projects / homepage.git / blob