1 <?xml version=
"1.0" encoding=
"utf-8"?>
2 <rss version='
2.0' xmlns:lj='http://www.livejournal.org/rss/lj/
1.0/' xmlns:
atom=
"http://www.w3.org/2005/Atom">
4 <title>Petter Reinholdtsen
</title>
5 <description></description>
6 <link>http://people.skolelinux.org/pere/blog/
</link>
7 <atom:link href=
"http://people.skolelinux.org/pere/blog/index.rss" rel=
"self" type=
"application/rss+xml" />
10 <title>Idea for storing trusted timestamps in a Noark
5 archive
</title>
11 <link>http://people.skolelinux.org/pere/blog/Idea_for_storing_trusted_timestamps_in_a_Noark_5_archive.html
</link>
12 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Idea_for_storing_trusted_timestamps_in_a_Noark_5_archive.html
</guid>
13 <pubDate>Wed,
7 Jun
2017 21:
40:
00 +
0200</pubDate>
14 <description><p
><em
>This is a copy of
15 <a href=
"https://lists.nuug.no/pipermail/nikita-noark/
2017-June/
000297.html
">an
16 email I posted to the nikita-noark mailing list
</a
>. Please follow up
17 there if you would like to discuss this topic. The background is that
18 we are making a free software archive system based on the Norwegian
19 <a href=
"https://www.arkivverket.no/forvaltning-og-utvikling/regelverk-og-standarder/noark-standarden
">Noark
20 5 standard
</a
> for government archives.
</em
></p
>
22 <p
>I
've been wondering a bit lately how trusted timestamps could be
24 <a href=
"https://en.wikipedia.org/wiki/Trusted_timestamping
">Trusted
25 timestamps
</a
> can be used to verify that some information
26 (document/file/checksum/metadata) have not been changed since a
27 specific time in the past. This is useful to verify the integrity of
28 the documents in the archive.
</p
>
30 <p
>Then it occured to me, perhaps the trusted timestamps could be
31 stored as dokument variants (ie dokumentobjekt referered to from
32 dokumentbeskrivelse) with the filename set to the hash it is
35 <p
>Given a
"dokumentbeskrivelse
" with an associated
"dokumentobjekt
",
36 a new dokumentobjekt is associated with
"dokumentbeskrivelse
" with the
37 same attributes as the stamped dokumentobjekt except these
42 <li
>format -
> "RFC3161
"
43 <li
>mimeType -
> "application/timestamp-reply
"
44 <li
>formatDetaljer -
> "&lt;source URL for timestamp service
&gt;
"
45 <li
>filenavn -
> "&lt;sjekksum
&gt;.tsr
"
49 <p
>This assume a service following
50 <a href=
"https://tools.ietf.org/html/rfc3161
">IETF RFC
3161</a
> is
51 used, which specifiy the given MIME type for replies and the .tsr file
52 ending for the content of such trusted timestamp. As far as I can
53 tell from the Noark
5 specifications, it is OK to have several
54 variants/renderings of a dokument attached to a given
55 dokumentbeskrivelse objekt. It might be stretching it a bit to make
56 some of these variants represent crypto-signatures useful for
57 verifying the document integrity instead of representing the dokument
60 <p
>Using the source of the service in formatDetaljer allow several
61 timestamping services to be used. This is useful to spread the risk
62 of key compromise over several organisations. It would only be a
63 problem to trust the timestamps if all of the organisations are
64 compromised.
</p
>
66 <p
>The following oneliner on Linux can be used to generate the tsr
67 file. $input is the path to the file to checksum, and $sha256 is the
68 SHA-
256 checksum of the file (ie the
"<sjekksum
>.tsr
" value mentioned
71 <p
><blockquote
><pre
>
72 openssl ts -query -data
"$inputfile
" -cert -sha256 -no_nonce \
73 | curl -s -H
"Content-Type: application/timestamp-query
" \
74 --data-binary
"@-
" http://zeitstempel.dfn.de
> $sha256.tsr
75 </pre
></blockquote
></p
>
77 <p
>To verify the timestamp, you first need to download the public key
78 of the trusted timestamp service, for example using this command:
</p
>
80 <p
><blockquote
><pre
>
82 https://pki.pca.dfn.de/global-services-ca/pub/cacert/chain.txt
83 </pre
></blockquote
></p
>
85 <p
>Note, the public key should be stored alongside the timestamps in
86 the archive to make sure it is also available
100 years from now. It
87 is probably a good idea to standardise how and were to store such
88 public keys, to make it easier to find for those trying to verify
89 documents
100 or
1000 years from now. :)
</p
>
91 <p
>The verification itself is a simple openssl command:
</p
>
93 <p
><blockquote
><pre
>
94 openssl ts -verify -data $inputfile -in $sha256.tsr \
95 -CAfile ca-cert.txt -text
96 </pre
></blockquote
></p
>
98 <p
>Is there any reason this approach would not work? Is it somehow against
99 the Noark
5 specification?
</p
>
104 <title>Når nynorskoversettelsen svikter til eksamen...
</title>
105 <link>http://people.skolelinux.org/pere/blog/N_r_nynorskoversettelsen_svikter_til_eksamen___.html
</link>
106 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/N_r_nynorskoversettelsen_svikter_til_eksamen___.html
</guid>
107 <pubDate>Sat,
3 Jun
2017 08:
20:
00 +
0200</pubDate>
108 <description><p
><a href=
"http://www.aftenposten.no/norge/Krever-at-elever-ma-fa-annullert-eksamen-etter-rot-med-oppgavetekster-
622459b.html
">Aftenposten
109 melder i dag
</a
> om feil i eksamensoppgavene for eksamen i politikk og
110 menneskerettigheter, der teksten i bokmåls og nynorskutgaven ikke var
111 like. Oppgaveteksten er gjengitt i artikkelen, og jeg ble nysgjerring
112 på om den fri oversetterløsningen
113 <a href=
"https://www.apertium.org/
">Apertium
</a
> ville gjort en bedre
114 jobb enn Utdanningsdirektoratet. Det kan se slik ut.
</p
>
116 <p
>Her er bokmålsoppgaven fra eksamenen:
</p
>
119 <p
>Drøft utfordringene knyttet til nasjonalstatenes og andre aktørers
120 rolle og muligheter til å håndtere internasjonale utfordringer, som
121 for eksempel flykningekrisen.
</p
>
123 <p
>Vedlegge er eksempler på tekster som kan gi relevante perspektiver
126 <li
>Flykningeregnskapet
2016, UNHCR og IDMC
127 <li
>«Grenseløst Europa for fall» A-Magasinet,
26. november
2015
132 <p
>Dette oversetter Apertium slik:
</p
>
135 <p
>Drøft utfordringane knytte til nasjonalstatane sine og rolla til
136 andre aktørar og høve til å handtera internasjonale utfordringar, som
137 til dømes *flykningekrisen.
</p
>
139 <p
>Vedleggja er døme på tekster som kan gje relevante perspektiv på
143 <li
>*Flykningeregnskapet
2016, *UNHCR og *IDMC
</li
>
144 <li
>«*Grenseløst Europa for fall» A-Magasinet,
26. november
2015</li
>
149 <p
>Ord som ikke ble forstått er markert med stjerne (*), og trenger
150 ekstra språksjekk. Men ingen ord er forsvunnet, slik det var i
151 oppgaven elevene fikk presentert på eksamen. Jeg mistenker dog at
152 "andre aktørers rolle og muligheter til ...
" burde vært oversatt til
153 "rolla til andre aktørar og deira høve til ...
" eller noe slikt, men
154 det er kanskje flisespikking. Det understreker vel bare at det alltid
155 trengs korrekturlesning etter automatisk oversettelse.
</p
>
160 <title>Epost inn som arkivformat i Riksarkivarens forskrift?
</title>
161 <link>http://people.skolelinux.org/pere/blog/Epost_inn_som_arkivformat_i_Riksarkivarens_forskrift_.html
</link>
162 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Epost_inn_som_arkivformat_i_Riksarkivarens_forskrift_.html
</guid>
163 <pubDate>Thu,
27 Apr
2017 11:
30:
00 +
0200</pubDate>
164 <description><p
>I disse dager, med frist
1. mai, har Riksarkivaren ute en høring på
165 sin forskrift. Som en kan se er det ikke mye tid igjen før fristen
166 som går ut på søndag. Denne forskriften er det som lister opp hvilke
167 formater det er greit å arkivere i
168 <a href=
"http://www.arkivverket.no/arkivverket/Offentleg-forvalting/Noark/Noark-
5">Noark
169 5-løsninger
</a
> i Norge.
</p
>
171 <p
>Jeg fant høringsdokumentene hos
172 <a href=
"https://www.arkivrad.no/aktuelt/riksarkivarens-forskrift-pa-horing
">Norsk
173 Arkivråd
</a
> etter å ha blitt tipset på epostlisten til
174 <a href=
"https://github.com/hiOA-ABI/nikita-noark5-core
">fri
175 programvareprosjektet Nikita Noark5-Core
</a
>, som lager et Noark
5
176 Tjenestegresesnitt. Jeg er involvert i Nikita-prosjektet og takket
177 være min interesse for tjenestegrensesnittsprosjektet har jeg lest en
178 god del Noark
5-relaterte dokumenter, og til min overraskelse oppdaget
179 at standard epost ikke er på listen over godkjente formater som kan
180 arkiveres. Høringen med frist søndag er en glimrende mulighet til å
181 forsøke å gjøre noe med det. Jeg holder på med
182 <a href=
"https://github.com/petterreinholdtsen/noark5-tester/blob/master/docs/hoering-arkivforskrift.tex
">egen
183 høringsuttalelse
</a
>, og lurer på om andre er interessert i å støtte
184 forslaget om å tillate arkivering av epost som epost i arkivet.
</p
>
186 <p
>Er du igang med å skrive egen høringsuttalelse allerede? I så fall
187 kan du jo vurdere å ta med en formulering om epost-lagring. Jeg tror
188 ikke det trengs så mye. Her et kort forslag til tekst:
</p
>
190 <p
><blockquote
>
192 <p
>Viser til høring sendt ut
2017-
02-
17 (Riksarkivarens referanse
193 2016/
9840 HELHJO), og tillater oss å sende inn noen innspill om
194 revisjon av Forskrift om utfyllende tekniske og arkivfaglige
195 bestemmelser om behandling av offentlige arkiver (Riksarkivarens
196 forskrift).
</p
>
198 <p
>Svært mye av vår kommuikasjon foregår i dag på e-post. Vi
199 foreslår derfor at Internett-e-post, slik det er beskrevet i IETF
201 <a href=
"https://tools.ietf.org/html/rfc5322
">https://tools.ietf.org/html/rfc5322
</a
>. bør
202 inn som godkjent dokumentformat. Vi foreslår at forskriftens
203 oversikt over godkjente dokumentformater ved innlevering i §
5-
16
204 endres til å ta med Internett-e-post.
</p
>
206 </blockquote
></p
>
208 <p
>Som del av arbeidet med tjenestegrensesnitt har vi testet hvordan
209 epost kan lagres i en Noark
5-struktur, og holder på å skrive et
210 forslag om hvordan dette kan gjøres som vil bli sendt over til
211 arkivverket så snart det er ferdig. De som er interesserte kan
212 <a href=
"https://github.com/petterreinholdtsen/noark5-tester/blob/master/docs/epostlagring.md
">følge
213 fremdriften på web
</a
>.
</p
>
215 <p
>Oppdatering
2017-
04-
28: I dag ble høringuttalelsen jeg skrev
216 <a href=
"https://www.nuug.no/news/NUUGs_h_ringuttalelse_til_Riksarkivarens_forskrift.shtml
">sendt
217 inn av foreningen NUUG
</a
>.
</p
>
222 <title>Offentlig elektronisk postjournal blokkerer tilgang for utvalgte webklienter
</title>
223 <link>http://people.skolelinux.org/pere/blog/Offentlig_elektronisk_postjournal_blokkerer_tilgang_for_utvalgte_webklienter.html
</link>
224 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Offentlig_elektronisk_postjournal_blokkerer_tilgang_for_utvalgte_webklienter.html
</guid>
225 <pubDate>Thu,
20 Apr
2017 13:
00:
00 +
0200</pubDate>
226 <description><p
>Jeg oppdaget i dag at
<a href=
"https://www.oep.no/
">nettstedet som
227 publiserer offentlige postjournaler fra statlige etater
</a
>, OEP, har
228 begynt å blokkerer enkelte typer webklienter fra å få tilgang. Vet
229 ikke hvor mange det gjelder, men det gjelder i hvert fall libwww-perl
230 og curl. For å teste selv, kjør følgende:
</p
>
232 <blockquote
><pre
>
233 % curl -v -s https://www.oep.no/pub/report.xhtml?reportId=
3 2>&1 |grep
'< HTTP
'
234 < HTTP/
1.1 404 Not Found
235 % curl -v -s --header
'User-Agent:Opera/
12.0' https://www.oep.no/pub/report.xhtml?reportId=
3 2>&1 |grep
'< HTTP
'
238 </pre
></blockquote
>
240 <p
>Her kan en se at tjenesten gir «
404 Not Found» for curl i
241 standardoppsettet, mens den gir «
200 OK» hvis curl hevder å være Opera
242 versjon
12.0. Offentlig elektronisk postjournal startet blokkeringen
243 2017-
03-
02.
</p
>
245 <p
>Blokkeringen vil gjøre det litt vanskeligere å maskinelt hente
246 informasjon fra oep.no. Kan blokkeringen være gjort for å hindre
247 automatisert innsamling av informasjon fra OEP, slik Pressens
248 Offentlighetsutvalg gjorde for å dokumentere hvordan departementene
250 <a href=
"http://presse.no/dette-mener-np/undergraver-offentlighetsloven/
">rapporten
251 «Slik hindrer departementer innsyn» som ble publiserte i januar
252 2017</a
>. Det virker usannsynlig, da det jo er trivielt å bytte
253 User-Agent til noe nytt.
</p
>
255 <p
>Finnes det juridisk grunnlag for det offentlige å diskriminere
256 webklienter slik det gjøres her? Der tilgang gis eller ikke alt etter
257 hva klienten sier at den heter? Da OEP eies av DIFI og driftes av
258 Basefarm, finnes det kanskje noen dokumenter sendt mellom disse to
259 aktørene man kan be om innsyn i for å forstå hva som har skjedd. Men
260 <a href=
"https://www.oep.no/search/result.html?period=dateRange
&fromDate=
01.01.2016&toDate=
01.04.2017&dateType=documentDate
&caseDescription=
&descType=both
&caseNumber=
&documentNumber=
&sender=basefarm
&senderType=both
&documentType=all
&legalAuthority=
&archiveCode=
&list2=
196&searchType=advanced
&Search=Search+in+records
">postjournalen
261 til DIFI viser kun to dokumenter
</a
> det siste året mellom DIFI og
263 <a href=
"https://www.mimesbronn.no/request/blokkering_av_tilgang_til_oep_fo
">Mimes brønn neste
</a
>,
264 tenker jeg.
</p
>
269 <title>Free software archive system Nikita now able to store documents
</title>
270 <link>http://people.skolelinux.org/pere/blog/Free_software_archive_system_Nikita_now_able_to_store_documents.html
</link>
271 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Free_software_archive_system_Nikita_now_able_to_store_documents.html
</guid>
272 <pubDate>Sun,
19 Mar
2017 08:
00:
00 +
0100</pubDate>
273 <description><p
>The
<a href=
"https://github.com/hiOA-ABI/nikita-noark5-core
">Nikita
274 Noark
5 core project
</a
> is implementing the Norwegian standard for
275 keeping an electronic archive of government documents.
276 <a href=
"http://www.arkivverket.no/arkivverket/Offentlig-forvaltning/Noark/Noark-
5/English-version
">The
277 Noark
5 standard
</a
> document the requirement for data systems used by
278 the archives in the Norwegian government, and the Noark
5 web interface
279 specification document a REST web service for storing, searching and
280 retrieving documents and metadata in such archive. I
've been involved
281 in the project since a few weeks before Christmas, when the Norwegian
283 <a href=
"https://www.nuug.no/news/NOARK5_kjerne_som_fri_programvare_f_r_epostliste_hos_NUUG.shtml
">announced
284 it supported the project
</a
>. I believe this is an important project,
285 and hope it can make it possible for the government archives in the
286 future to use free software to keep the archives we citizens depend
287 on. But as I do not hold such archive myself, personally my first use
288 case is to store and analyse public mail journal metadata published
289 from the government. I find it useful to have a clear use case in
290 mind when developing, to make sure the system scratches one of my
293 <p
>If you would like to help make sure there is a free software
294 alternatives for the archives, please join our IRC channel
295 (
<a href=
"irc://irc.freenode.net/%
23nikita
"">#nikita on
296 irc.freenode.net
</a
>) and
297 <a href=
"https://lists.nuug.no/mailman/listinfo/nikita-noark
">the
298 project mailing list
</a
>.
</p
>
300 <p
>When I got involved, the web service could store metadata about
301 documents. But a few weeks ago, a new milestone was reached when it
302 became possible to store full text documents too. Yesterday, I
303 completed an implementation of a command line tool
304 <tt
>archive-pdf
</tt
> to upload a PDF file to the archive using this
305 API. The tool is very simple at the moment, and find existing
306 <a href=
"https://en.wikipedia.org/wiki/Fonds
">fonds
</a
>, series and
307 files while asking the user to select which one to use if more than
308 one exist. Once a file is identified, the PDF is associated with the
309 file and uploaded, using the title extracted from the PDF itself. The
310 process is fairly similar to visiting the archive, opening a cabinet,
311 locating a file and storing a piece of paper in the archive. Here is
312 a test run directly after populating the database with test data using
313 our API tester:
</p
>
315 <p
><blockquote
><pre
>
316 ~/src//noark5-tester$ ./archive-pdf mangelmelding/mangler.pdf
317 using arkiv: Title of the test fonds created
2017-
03-
18T23:
49:
32.103446
318 using arkivdel: Title of the test series created
2017-
03-
18T23:
49:
32.103446
320 0 - Title of the test case file created
2017-
03-
18T23:
49:
32.103446
321 1 - Title of the test file created
2017-
03-
18T23:
49:
32.103446
322 Select which mappe you want (or search term):
0
323 Uploading mangelmelding/mangler.pdf
324 PDF title: Mangler i spesifikasjonsdokumentet for NOARK
5 Tjenestegrensesnitt
325 File
2017/
1: Title of the test case file created
2017-
03-
18T23:
49:
32.103446
326 ~/src//noark5-tester$
327 </pre
></blockquote
></p
>
329 <p
>You can see here how the fonds (arkiv) and serie (arkivdel) only had
330 one option, while the user need to choose which file (mappe) to use
331 among the two created by the API tester. The
<tt
>archive-pdf
</tt
>
332 tool can be found in the git repository for the API tester.
</p
>
334 <p
>In the project, I have been mostly working on
335 <a href=
"https://github.com/petterreinholdtsen/noark5-tester
">the API
336 tester
</a
> so far, while getting to know the code base. The API
338 <a href=
"https://en.wikipedia.org/wiki/HATEOAS
">the HATEOAS links
</a
>
339 to traverse the entire exposed service API and verify that the exposed
340 operations and objects match the specification, as well as trying to
341 create objects holding metadata and uploading a simple XML file to
342 store. The tester has proved very useful for finding flaws in our
343 implementation, as well as flaws in the reference site and the
344 specification.
</p
>
346 <p
>The test document I uploaded is a summary of all the specification
347 defects we have collected so far while implementing the web service.
348 There are several unclear and conflicting parts of the specification,
350 <a href=
"https://github.com/petterreinholdtsen/noark5-tester/tree/master/mangelmelding
">started
351 writing down
</a
> the questions we get from implementing it. We use a
352 format inspired by how
<a href=
"http://www.opengroup.org/austin/
">The
353 Austin Group
</a
> collect defect reports for the POSIX standard with
354 <a href=
"http://www.opengroup.org/austin/mantis.html
">their
355 instructions for the MANTIS defect tracker system
</a
>, in lack of an official way to structure defect reports for Noark
5 (our first submitted defect report was a
<a href=
"https://github.com/petterreinholdtsen/noark5-tester/blob/master/mangelmelding/sendt/
2017-
03-
15-mangel-prosess.md
">request for a procedure for submitting defect reports
</a
> :).
357 <p
>The Nikita project is implemented using Java and Spring, and is
358 fairly easy to get up and running using Docker containers for those
359 that want to test the current code base. The API tester is
360 implemented in Python.
</p
>
365 <title>Detecting NFS hangs on Linux without hanging yourself...
</title>
366 <link>http://people.skolelinux.org/pere/blog/Detecting_NFS_hangs_on_Linux_without_hanging_yourself___.html
</link>
367 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Detecting_NFS_hangs_on_Linux_without_hanging_yourself___.html
</guid>
368 <pubDate>Thu,
9 Mar
2017 15:
20:
00 +
0100</pubDate>
369 <description><p
>Over the years, administrating thousand of NFS mounting linux
370 computers at the time, I often needed a way to detect if the machine
371 was experiencing NFS hang. If you try to use
<tt
>df
</tt
> or look at a
372 file or directory affected by the hang, the process (and possibly the
373 shell) will hang too. So you want to be able to detect this without
374 risking the detection process getting stuck too. It has not been
375 obvious how to do this. When the hang has lasted a while, it is
376 possible to find messages like these in dmesg:
</p
>
378 <p
><blockquote
>
379 nfs: server nfsserver not responding, still trying
380 <br
>nfs: server nfsserver OK
381 </blockquote
></p
>
383 <p
>It is hard to know if the hang is still going on, and it is hard to
384 be sure looking in dmesg is going to work. If there are lots of other
385 messages in dmesg the lines might have rotated out of site before they
386 are noticed.
</p
>
388 <p
>While reading through the nfs client implementation in linux kernel
389 code, I came across some statistics that seem to give a way to detect
390 it. The om_timeouts sunrpc value in the kernel will increase every
391 time the above log entry is inserted into dmesg. And after digging a
392 bit further, I discovered that this value show up in
393 /proc/self/mountstats on Linux.
</p
>
395 <p
>The mountstats content seem to be shared between files using the
396 same file system context, so it is enough to check one of the
397 mountstats files to get the state of the mount point for the machine.
398 I assume this will not show lazy umounted NFS points, nor NFS mount
399 points in a different process context (ie with a different filesystem
400 view), but that does not worry me.
</p
>
402 <p
>The content for a NFS mount point look similar to this:
</p
>
404 <p
><blockquote
><pre
>
406 device /dev/mapper/Debian-var mounted on /var with fstype ext3
407 device nfsserver:/mnt/nfsserver/home0 mounted on /mnt/nfsserver/home0 with fstype nfs statvers=
1.1
408 opts: rw,vers=
3,rsize=
65536,wsize=
65536,namlen=
255,acregmin=
3,acregmax=
60,acdirmin=
30,acdirmax=
60,soft,nolock,proto=tcp,timeo=
600,retrans=
2,sec=sys,mountaddr=
129.240.3.145,mountvers=
3,mountport=
4048,mountproto=udp,local_lock=all
410 caps: caps=
0x3fe7,wtmult=
4096,dtsize=
8192,bsize=
0,namlen=
255
411 sec: flavor=
1,pseudoflavor=
1
412 events:
61063112 732346265 1028140 35486205 16220064 8162542 761447191 71714012 37189 3891185 45561809 110486139 4850138 420353 15449177 296502 52736725 13523379 0 52182 9016896 1231 0 0 0 0 0
413 bytes:
166253035039 219519120027 0 0 40783504807 185466229638 11677877 45561809
414 RPC iostats version:
1.0 p/v:
100003/
3 (nfs)
415 xprt: tcp
925 1 6810 0 0 111505412 111480497 109 2672418560317 0 248 53869103 22481820
417 NULL:
0 0 0 0 0 0 0 0
418 GETATTR:
61063106 61063108 0 9621383060 6839064400 453650 77291321 78926132
419 SETATTR:
463469 463470 0 92005440 66739536 63787 603235 687943
420 LOOKUP:
17021657 17021657 0 3354097764 4013442928 57216 35125459 35566511
421 ACCESS:
14281703 14290009 5 2318400592 1713803640 1709282 4865144 7130140
422 READLINK:
125 125 0 20472 18620 0 1112 1118
423 READ:
4214236 4214237 0 715608524 41328653212 89884 22622768 22806693
424 WRITE:
8479010 8494376 22 187695798568 1356087148 178264904 51506907 231671771
425 CREATE:
171708 171708 0 38084748 46702272 873 1041833 1050398
426 MKDIR:
3680 3680 0 773980 993920 26 23990 24245
427 SYMLINK:
903 903 0 233428 245488 6 5865 5917
428 MKNOD:
80 80 0 20148 21760 0 299 304
429 REMOVE:
429921 429921 0 79796004 61908192 3313 2710416 2741636
430 RMDIR:
3367 3367 0 645112 484848 22 5782 6002
431 RENAME:
466201 466201 0 130026184 121212260 7075 5935207 5961288
432 LINK:
289155 289155 0 72775556 67083960 2199 2565060 2585579
433 READDIR:
2933237 2933237 0 516506204 13973833412 10385 3190199 3297917
434 READDIRPLUS:
1652839 1652839 0 298640972 6895997744 84735 14307895 14448937
435 FSSTAT:
6144 6144 0 1010516 1032192 51 9654 10022
436 FSINFO:
2 2 0 232 328 0 1 1
437 PATHCONF:
1 1 0 116 140 0 0 0
438 COMMIT:
0 0 0 0 0 0 0 0
440 device binfmt_misc mounted on /proc/sys/fs/binfmt_misc with fstype binfmt_misc
442 </pre
></blockquote
></p
>
444 <p
>The key number to look at is the third number in the per-op list.
445 It is the number of NFS timeouts experiences per file system
446 operation. Here
22 write timeouts and
5 access timeouts. If these
447 numbers are increasing, I believe the machine is experiencing NFS
448 hang. Unfortunately the timeout value do not start to increase right
449 away. The NFS operations need to time out first, and this can take a
450 while. The exact timeout value depend on the setup. For example the
451 defaults for TCP and UDP mount points are quite different, and the
452 timeout value is affected by the soft, hard, timeo and retrans NFS
453 mount options.
</p
>
455 <p
>The only way I have been able to get working on Debian and RedHat
456 Enterprise Linux for getting the timeout count is to peek in /proc/.
458 <ahref=
"http://docs.oracle.com/cd/E19253-
01/
816-
4555/netmonitor-
12/index.html
">Solaris
459 10 System Administration Guide: Network Services
</a
>, the
'nfsstat -c
'
460 command can be used to get these timeout values. But this do not work
461 on Linux, as far as I can tell. I
462 <ahref=
"http://bugs.debian.org/
857043">asked Debian about this
</a
>,
463 but have not seen any replies yet.
</p
>
465 <p
>Is there a better way to figure out if a Linux NFS client is
466 experiencing NFS hangs? Is there a way to detect which processes are
467 affected? Is there a way to get the NFS mount going quickly once the
468 network problem causing the NFS hang has been cleared? I would very
469 much welcome some clues, as we regularly run into NFS hangs.
</p
>
474 <title>How does it feel to be wiretapped, when you should be doing the wiretapping...
</title>
475 <link>http://people.skolelinux.org/pere/blog/How_does_it_feel_to_be_wiretapped__when_you_should_be_doing_the_wiretapping___.html
</link>
476 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/How_does_it_feel_to_be_wiretapped__when_you_should_be_doing_the_wiretapping___.html
</guid>
477 <pubDate>Wed,
8 Mar
2017 11:
50:
00 +
0100</pubDate>
478 <description><p
>So the new president in the United States of America claim to be
479 surprised to discover that he was wiretapped during the election
480 before he was elected president. He even claim this must be illegal.
481 Well, doh, if it is one thing the confirmations from Snowden
482 documented, it is that the entire population in USA is wiretapped, one
483 way or another. Of course the president candidates were wiretapped,
484 alongside the senators, judges and the rest of the people in USA.
</p
>
486 <p
>Next, the Federal Bureau of Investigation ask the Department of
487 Justice to go public rejecting the claims that Donald Trump was
488 wiretapped illegally. I fail to see the relevance, given that I am
489 sure the surveillance industry in USA believe they have all the legal
490 backing they need to conduct mass surveillance on the entire
493 <p
>There is even the director of the FBI stating that he never saw an
494 order requesting wiretapping of Donald Trump. That is not very
495 surprising, given how the FISA court work, with all its activity being
496 secret. Perhaps he only heard about it?
</p
>
498 <p
>What I find most sad in this story is how Norwegian journalists
499 present it. In a news reports the other day in the radio from the
500 Norwegian National broadcasting Company (NRK), I heard the journalist
501 claim that
'the FBI denies any wiretapping
', while the reality is that
502 'the FBI denies any illegal wiretapping
'. There is a fundamental and
503 important difference, and it make me sad that the journalists are
504 unable to grasp it.
</p
>
506 <p
><strong
>Update
2017-
03-
13:
</strong
> Look like
507 <a href=
"https://theintercept.com/
2017/
03/
13/rand-paul-is-right-nsa-routinely-monitors-americans-communications-without-warrants/
">The
508 Intercept report that US Senator Rand Paul confirm what I state above
</a
>.
</p
>
513 <title>Norwegian Bokmål translation of The Debian Administrator
's Handbook complete, proofreading in progress
</title>
514 <link>http://people.skolelinux.org/pere/blog/Norwegian_Bokm_l_translation_of_The_Debian_Administrator_s_Handbook_complete__proofreading_in_progress.html
</link>
515 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Norwegian_Bokm_l_translation_of_The_Debian_Administrator_s_Handbook_complete__proofreading_in_progress.html
</guid>
516 <pubDate>Fri,
3 Mar
2017 14:
50:
00 +
0100</pubDate>
517 <description><p
>For almost a year now, we have been working on making a Norwegian
518 Bokmål edition of
<a href=
"https://debian-handbook.info/
">The Debian
519 Administrator
's Handbook
</a
>. Now, thanks to the tireless effort of
520 Ole-Erik, Ingrid and Andreas, the initial translation is complete, and
521 we are working on the proof reading to ensure consistent language and
522 use of correct computer science terms. The plan is to make the book
523 available on paper, as well as in electronic form. For that to
524 happen, the proof reading must be completed and all the figures need
525 to be translated. If you want to help out, get in touch.
</p
>
527 <p
><a href=
"http://people.skolelinux.org/pere/debian-handbook/debian-handbook-nb-NO.pdf
">A
529 fresh PDF edition
</a
> in A4 format (the final book will have smaller
530 pages) of the book created every morning is available for
531 proofreading. If you find any errors, please
532 <a href=
"https://hosted.weblate.org/projects/debian-handbook/
">visit
533 Weblate and correct the error
</a
>. The
534 <a href=
"http://l.github.io/debian-handbook/stat/nb-NO/index.html
">state
535 of the translation including figures
</a
> is a useful source for those
536 provide Norwegian bokmål screen shots and figures.
</p
>
541 <title>Unlimited randomness with the ChaosKey?
</title>
542 <link>http://people.skolelinux.org/pere/blog/Unlimited_randomness_with_the_ChaosKey_.html
</link>
543 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Unlimited_randomness_with_the_ChaosKey_.html
</guid>
544 <pubDate>Wed,
1 Mar
2017 20:
50:
00 +
0100</pubDate>
545 <description><p
>A few days ago I ordered a small batch of
546 <a href=
"http://altusmetrum.org/ChaosKey/
">the ChaosKey
</a
>, a small
547 USB dongle for generating entropy created by Bdale Garbee and Keith
548 Packard. Yesterday it arrived, and I am very happy to report that it
549 work great! According to its designers, to get it to work out of the
550 box, you need the Linux kernel version
4.1 or later. I tested on a
551 Debian Stretch machine (kernel version
4.9), and there it worked just
552 fine, increasing the available entropy very quickly. I wrote a small
553 test oneliner to test. It first print the current entropy level,
554 drain /dev/random, and then print the entropy level for five seconds.
555 Here is the situation without the ChaosKey inserted:
</p
>
557 <blockquote
><pre
>
558 % cat /proc/sys/kernel/random/entropy_avail; \
559 dd bs=
1M if=/dev/random of=/dev/null count=
1; \
560 for n in $(seq
1 5); do \
561 cat /proc/sys/kernel/random/entropy_avail; \
567 28 byte kopiert,
0,
000264565 s,
106 kB/s
574 </pre
></blockquote
>
576 <p
>The entropy level increases by
3-
4 every second. In such case any
577 application requiring random bits (like a HTTPS enabled web server)
578 will halt and wait for more entrpy. And here is the situation with
579 the ChaosKey inserted:
</p
>
581 <blockquote
><pre
>
582 % cat /proc/sys/kernel/random/entropy_avail; \
583 dd bs=
1M if=/dev/random of=/dev/null count=
1; \
584 for n in $(seq
1 5); do \
585 cat /proc/sys/kernel/random/entropy_avail; \
591 104 byte kopiert,
0,
000487647 s,
213 kB/s
598 </pre
></blockquote
>
600 <p
>Quite the difference. :) I bought a few more than I need, in case
601 someone want to buy one here in Norway. :)
</p
>
603 <p
>Update: The dongle was presented at Debconf last year. You might
604 find
<a href=
"https://debconf16.debconf.org/talks/
94/
">the talk
605 recording illuminating
</a
>. It explains exactly what the source of
606 randomness is, if you are unable to spot it from the schema drawing
607 available from the ChaosKey web site linked at the start of this blog
613 <title>Detect OOXML files with undefined behaviour?
</title>
614 <link>http://people.skolelinux.org/pere/blog/Detect_OOXML_files_with_undefined_behaviour_.html
</link>
615 <guid isPermaLink=
"true">http://people.skolelinux.org/pere/blog/Detect_OOXML_files_with_undefined_behaviour_.html
</guid>
616 <pubDate>Tue,
21 Feb
2017 00:
20:
00 +
0100</pubDate>
617 <description><p
>I just noticed
618 <a href=
"http://www.arkivrad.no/aktuelt/riksarkivarens-forskrift-pa-horing
">the
619 new Norwegian proposal for archiving rules in the goverment
</a
> list
620 <a href=
"http://www.ecma-international.org/publications/standards/Ecma-
376.htm
">ECMA-
376</a
>
621 / ISO/IEC
29500 (aka OOXML) as valid formats to put in long term
622 storage. Luckily such files will only be accepted based on
623 pre-approval from the National Archive. Allowing OOXML files to be
624 used for long term storage might seem like a good idea as long as we
625 forget that there are plenty of ways for a
"valid
" OOXML document to
626 have content with no defined interpretation in the standard, which
627 lead to a question and an idea.
</p
>
629 <p
>Is there any tool to detect if a OOXML document depend on such
630 undefined behaviour? It would be useful for the National Archive (and
631 anyone else interested in verifying that a document is well defined)
632 to have such tool available when considering to approve the use of
633 OOXML. I
'm aware of the
634 <a href=
"https://github.com/arlm/officeotron/
">officeotron OOXML
635 validator
</a
>, but do not know how complete it is nor if it will
636 report use of undefined behaviour. Are there other similar tools
637 available? Please send me an email if you know of any such tool.
</p
>
projects / homepage.git / blob