Another old copy

This post is by request (after I mentioned the trick in passing to someone on IRC).

So, the lay of the land: you find yourself in some dubious or highly unconventional position of server access. Maybe it’s behind a few layers of ssh jumps and VPN paths. Maybe the only way to get data input is that it’s on the other side of a phonecall, a human slowly typing in some things as you read it out to them. Maybe it’s just some damned SSO config on a corporate network somewhere. Doesn’t matter exactly which it is, you have the problem that you cannot easily copy a set of files to where you need it.

There’s a few handfuls of ways in which one can deal with this. One of the easiest, if you can manage, is to stick it somewhere as an HTTPS resource and pull that down. But… sometimes you don’t have HTTPS access (or, for that matter, any outbound internet access at all). Maybe you can do some DNS tunneling? The difficulty of that ramps up rather quickly, unfortunately. You just happen to not have your DNS fileserver running today!

But… hey, you already have a shell, right? And there’s a `base64` or `od` binary on that host, or maybe some python or Perl or even bash?

Well then, lucky you.

Take your file on the input side. Pop it through a base64 encode.

# presuming OSX
source% base64 -i some_input -o the_base64

Read that base64 into your pastebuffer, paste on the other side. End off your heredoc (they do make it easier in many cases). Remake your file as you need it.

# presuming linux
dest% cat <<EOF>> base64_input
< the paste goes here >
dest% base64 -d base64_input > the_original

You need multiple files? Roundtrip it through an archive!

Maybe they’re big files and you’re worried about items getting lost? `split` and `par2` are your friends! Don’t have `par2`? No matter, you can install it in this manner!

You can see how versatile this technique can be. And how insane. But it’s a nice enough wrench to have in your toolbox if you ever need to hit a nail in, if you know what I mean.

It’s also by no means new. Nor is it previously undocumented. Or even the only variation of this trick[0]. It’s just one of those things that sometimes happens to need to be shown. Lest the arcana be forgotten.

[0] – for a fun exercise, see how many variations of this you can come up with.

Drone CI Slack plugin changes for 0.4 to 0.5

Recently I’ve setup Drone CI for internal use, and ran into an issue with the Slack plugin failing to work. I thought I’d give a quick summary here of what was necessary to fix it on my setup, as the documentation (as it stands today) didn’t make it very clear.

The config required for making the Slack plugin work on 0.4 looks like this:

    channel: general
    username: drone

And the config for 0.5 like this:


    image: plugins/slack
    channel: general
    username: drone

The main differences I observed are:

  • the depth at which the notification plugin is stated (on 0.4 it’s at the root, on 0.5 it’s under pipeline)
  • “webhook_url” changed to “webhook”
  • the notify keyword/section appears to no longer be required

Mailmate Submailbox SNR hack

Problem statement: One of my customers uses Bitbucket for their code, and I have a noisy mailbox.

Instead of writing even more filters¹, I opted to use the Mailmate Smart Mailbox feature to get a better signal about/for things from Bitbucket

Here’s a regex I used:

${subject.body/Pull request #([0-9]+): (.*) \(.*\/(.*)\).*/${3} - #${1} ${2}/}

It works pretty well.

And credit where credit is due: I first saw pbrooko do this, so the idea inspiration is there.

¹) I find filters to be cause for problems in experience across all my devices and interfaces

My sound setup

Since I find myself linking to this frequently enough (and because it’s been a while since this had a post), I figured I’d just write it up somewhere.

Portable set

1x Hardshell case
1x Sennheiser HD558
1x FiiO E10K
1x Shorter cable

The carry case isn’t amazing, but it gets the job done, and I got it delivered in something like a day during one of my recent US trips.

More stationary/”used in study” set

1x FiiO E10K
1x Sennheiser HD598

What I’d change

At some point I might get a Maverick DAC (or one of the other ones you can find these days), and maybe a set of HD650 cans.

What I like

My phone has enough juice on its output to be able to drive the HD558 set reasonably, but does have a noticably lower maximum compared to the DAC. If I were to try go past that, I’ve eyed the E6 and E12 as possible options. No major reason for the FiiO units above anything else, they’ve just not let me down yet and they’re cheap enough to be reasonable (which factors in on shipping things to .za)

What sucks

Both the headphone models above are open-back, which have issues being used in more crowded places or alongside busy roads or on the train, etc. I used to use a set of Sennheiser CX200 instead during those times, but mine got lost somewhere before the move. One friend has recommended the NVX XPT100 as an option, and another the Allesandro MS-1s (which are basically a re-release of the Grados or somesuch). I prefer over-ear over on-ear, so I expect I’d probably try something like the XPT100 set first.

Keys, identity, etc

This post serves as a general notice of key update, as well as a short bit of history.

My new GPG key is a 4096 RSA. It’s available on the SKS keyservers already, and has the fingerprint 1A9260611F0D15319BE6465E474E16D0F70C7CC9. I have also updated my Keybase identity with this as appropriate, as well as updating my online pubkey store.

My old key was E5BB45ADAC20F87D8E5C2316D3C406A99ABE41AE, 1024 DSA. I’ll be pushing a revocation for this in about a week’s time.

The intention behind this is a general update, plus also just adding some clarity to my public key situation. I have some Older Keys which happened, in various states, from times when I had no clue to times where I had no ability to survive machine or disk failures. Aside from those conditions, I had another key which I also no longer wish to use (due to reasonable key size concerns etc).

Also, updates

mysql> delete from wp_comments where comment_approved=0;
 Query OK, 16330 rows affected, 40 warnings (0.59 sec)

*updates wordpress, disables comments, leaves Disqus to do the rest*

News and such

Been a while. I wrote some small bad software. The cornercase for which I needed it was “mutually-viewed screen session running pushloop, which does puppet runs” for some work a colleague and I were doing. Post-receive config to echo to a file (from your DVCS of choice), done/done.

I’ll also be doing a talk on Logcabin at PyconZA this coming week (with opensourcing the module coming in the near future). It’s been fun doing things with that.

Outside of the tech space I guess I’m just waiting for things to tick up.

DHCP, LXC, phy-less (?) bridges, and checksums

tl;dr: if your lxc container on a bridged/veth network is randomly failing to get a dhcp address, you can probably fix it with `ethtool br0 x off  tx off` (br0 being the bridge interface).

With my home DSL acting up quite a bit lately (“lately” == month and a half now. “acting up” == ground fault, and waiting for the telco to fix it..), I’ve been doing a lot of sandboxing work on my microserver at home. But because of its resource scarcity (2GB RAM, and I just haven’t bought more yet), I’ve been giving LXC a go[0] (where I’d normally just do libvirt’d kvm). It’s pretty easy to get started (check this post for pretty all much info you need), but I did deviate from the norm slightly.

I like my eth interfaces a server like this to be non-bridged, mostly because of a lack of ipmi (but also because brctl is a clown sometimes). So my setup for this at home looks like so:

auto lxc0
iface lxc0 inet static
  bridge_stp on
  pre-up /sbin/brctl addbr lxc0
  post-down /sbin/brctl delbr lxc0

I’ve also got dnsmasq listening on everything, although I hadn’t had it doing dhcp on that interface yet. Today I decided to change that, which is what led me to discovering this: (afaict) if you don’t have a phy interface attached to your bridge, checksum offloading behaviour on that bridge appears to be fucked-by-default.

How this manifested in my case was that lxc containers couldn’t succesfully DHCP (mostly silent failure), but doing a pcap or dhcpdump on the inside interface would show responses actually getting to your container. After some various derpery with dhclient’s options and applying enough patience, I finally managed to see a message: ‘5 bad udp checksums in 5 packets’. Some quick searching revealed people advising doing `iptables -A POSTROUTING -t mangle -p udp –dport bootpc -j CHECKSUM –checksum-fill` to fix this. Not just liking magic patches, I did check into why this is the case, and as mentioned earlier, it seems that this happens when you don’t have a phy attached to the bridge[0].

My network config for that interface now has a `post-up /sbin/ethtool tor0 rx off tx off` in it, and things seem dandy.

[0] – Mostly works pretty well. On debian wheezy you need some backported stuff for the various cgroups support. I think I got them from sid.
[1] – “seems”, because a) I don’t feel like testing this by attach a real phy to the bridge now, and b) I haven’t run into this before when using various other things (KVM usually) that were running on phy-attached bridges so I can only guess this is what happens. Feel free to test and let me know.


Just a quick post to announce puppetvpn. It’s a puppet module for easily setting up openvpn links (p2p and hub-and-spoke), with the main point/attraction/difference being that it lets puppet take care of the key management effort.

Based on initial work by Tristan, so all credit as due goes there.

It’s not very smart right now (presumes a whole bunch of things). Patches accepted.

The worst day I’ve had in a while

Otherwise known as the narrative of 15 Feb 2014. I don’t really know who’ll give a crap, but I just need to get this out of my system.

Having lived in South Africa all my life (thus far), the thing about crime has often come up. And, for the most part, I’ve been pretty damned fortunate to not have had to deal with it at all. Until last night, that is. Which is the worst time it could possibly have hit me at. I’ve been in a bit of a dark spell the last couple of weeks, due to a variety of factors, but things were finally starting to feel a bit better last night. I actually went as far as to comment to someone “I think I’m finally through it all!” around 10~11pm. But hey…apparently it wasn’t quite time yet.

Around 2am (which I guess is technically Sunday?), I left a friend’s house, going homewards via Andiccio 24 (which is a regular habit when I’ve been up all night). I’d been sick since last weekend, too, and was feeling pretty damn drained by this point. After getting my pizza and starting to drive home, somewhere along the route my scooter just failed on me. I don’t know why yet, haven’t exactly had the headspace to look. Sounds electrical-ish, but w/e. And to start the bad, my pizza had fallen onto the ground. This annoyed me, but was just a slight taste of what was to come. At this point, I phone the AA, who give me an estimate of 60 to 90 minutes as pickup time. Now I only live a couple of blocks from where I broke down (albeit uphill), so while I wait for their confirmatory call I start trying to push it as far as I can go. Which isn’t very far, because I’m exhausted as hell. As I got a little bit up the one hill, a white car with two occupants comes driving past, as best as I can tell seeming to be some kind of neighbourhood patrol. And as I mention my difficulties and issues there, the guy claims that he might be able to help me with getting the AA to hurry up. And, hell, I’m tired (had been awake since 05h40 on the Saturday), hungry, stuck in the middle of uselessville at 3am, and I decide to trust the guy. Why not? Not like I ever really do trust strangers. I can’t tell you why I did it.

But I phone the AA up, mention to the callcentre person that this other individual wants to speak to them, and hand my phone over to the guy in the car. After they speak for about 10~15 seconds, I hear the guy mention that he’s with SAPS (which I think is probably illegal to impersonate), and at this point they start driving off, go around the corner, and gone. Now I’ve got no comms. No ETA on getting home. No ability to confirm the pickup. I’m tired, I’m hungry, I’m stressed, and I snap. The last few weeks’ worth of bad just hit me like a ton of bricks dislodged from a cargo carrier, and I am /fucked/. I try to ring a few doorbells, don’t really get anywhere. Finally I see an actual Beagle Security (local patrol crowd) driving past, and after I literally begged the driver, I managed to get home. From where I then started trying to get Prey and such installed on my phone. Which doesn’t help, you need to do it in advance. So I try android remote wipe. Nope, that needs to be set up in advance too. And just a couple of days ago I’d turned off location reporting on my tablet, and forgotten to check if it was account wide. So I couldn’t trace the handset either.

I start pulling out whatever tricks I can try manage. I even try to get my FNB Connect voice thing back up. But I couldn’t find the details saved, and thus couldn’t get any calls done. I need to phone the police. I didn’t even have a plate number for the car. But fuckit, what do you do instead? I post on facebook, asking for help, which is something I do so rarely I don’t even know how to do it. It’s at this point that I ask around, see if anyone has some voip I could use. It’s at this point where some guys over at helped me out, and I am extremely thankful for that. The teams who run that place I could solidly count as A+ people. Technically, and for reasons such as this. I manage to phone the police, I get as far as I can manage. I start changing account passwords, dissociating things from my phone, making it as useless as I could possibly hope (ie. no posts showing up when notifications come through, etc). It didn’t have much battery life left, either, so it would’ve died on the people soon afterwards anyway.

But at this point I’ve hit a low. Being without comms is a major hit, for multiple reasons, and being unable to contact (because of this) the one or two people who could’ve actually helped me through it…well, yeah. I hit a low I haven’t hit about since the time I realized I need to cut myself off from my family in totality. I’m not ashamed to say that I cried a bit. I was feeling so utterly helpless in the face of everything, and I just didn’t know what to do.

Positive things! A couple:

  • thank you very much to the person who helped me with the ability to call (I’m finding out if I can name them here)
  • thanks to Tristan for helping me get around in the morning, breakfast (to deal with the fact that I’m starved and getting a migraine), helping get to police, and sitting patiently through multiple stages of trying to get my handset blacklisted (the IMEI shown on the network HLR doesn’t match the IMEI on the box I have)
  • there were a fair handful of people who responded to my FB post (each of you have been noted, and I will make sure to pay you back whenever I can one day)
  • thank you to the people on Shadowfire who let me rage and rant and vent
  • fortunately I had handset insurance from my provider, so this should not make much of a knock on my finances (which was a related fear)

Speculation: maybe…just maaaaybe…the guys in the car were legit. As I said, the battery would’ve died soon. But I don’t feel so. I ran down to the traffic light after they bolted, and I couldn’t see the car by the time I’d gotten there (about 40~50m down the road).

And now it’s Sunday evening. It took a day to get some stuff sorted (prepaid SIM, ability to phone, arranged transport to get to my Monday meeting), and I had the maximum indicated dose of Migril to try counteract my migraine. I still haven’t eaten properly, and don’t feel I can easily. re:hidrat it is, then, for getting myself feeling a slight bit better. My cat is sleeping next to me (she annexed a whole pillow on my couch), there’s good music playing, and I’m clutching my way back to feeling better. Slowly, bit by bit. But this one will hurt for a while.

edit: I know many of these things sound tiny. With perspective, they are. But they added up in just the right set of flavours. Here’s to getting some perspective again, though!

edit 2: did eventually get the scooter back home. The original call with AA had been closed, apparently the guys claimed that they’d done a pickup. I hope to open some kind of case and maybe get my hands on that recording. Or something. I don’t know. But did get home, and after a minor freakout for a while (of not being able to find the right keys to get the scooter movable (steering lock)), all roughly ended up “okay”