Strip all EXIF metadata from images

As we take many pictures with phones and more-and-more intelligent cameras, there are more-and-more personal information in the photos. Before we put them on the internet it is a good idea to strip all information from them, to protect our privacy. You can do that with libimage-exiftool-perl's exiftool. Like:

exiftool -all= somefile.jpg

Online storage migration with mdadm

Far far away... I stumbled upon an interesting problem in the previous weeks what I want to share with you.

So... let's start with some background details. Let's assume we have two custom build storages (Linux boxes with tons of hard disks, forty-eight, bound together with LVM and presented to the clients with iSCSI using SCST target), yes I know it's the poor man's storage but works nicely. The clients are Linux boxes using the iSCSI targets as RAW disks (one per machine) for KVM virtual machines. So... the problem is to migrate from the first storage (I will call it Chew from now) to the other storage (Jeti) with the minimum possible downtime on the KVM virtual machines.

The first solution can come into mind can be to dd the disks between Chew and Jeti while the guests are down. But given into account that we speak about 7TB storage this is a way too much outage. There are rsync like dd tools, and block device support patches to rsync but for larger disks (around 1-2TB) the last sync what we must do in down time is still a big time.

After a long week and very few sleep an insane idea come into my mind... let's use mdadm to sync disks! I already tested RAID 1 on network attached block devices in the past so this wasn't very new to me, but these are running virtual machines and valuable data. The would cut my head off if something bad happens! So the idea what first sounded insane and a bit risky but it was the solution with the acceptable downtime.

With one of my colleagues (Lavian) we started to polish the plan. The first idea was to get the two Logical Volumes to one machine then synchronize the with mdadm RAID 1. We created the same LVM structure on Jeti that Chew had, then grew every LV with 4M to have enough space for RAID metadata at the end of the disks. We used raid metadata version 0.90 because it is the one locates at the end of the disks. It was an important point because the other metadata formats where metadata at the beginning of the disks could mess our data. We attached the LV from Jeti to Chew with iSCSI so Chew had both the receiving and the sending side of the synchronisation, then we set up RAID 1 with mdadm and waited to sync. Note the client KVM machines still seeing the old sized disks not the larger ones because we didn't told them about the growing and the guest virtual machines happily runnig.

After the sync the downtime comes... We shut down the guests, logged out from the iSCSI, and also disabled on Chew, the later was necessary because:

1. we don't need them anymore
2. we used iSCSI target with RAM cache so we had to be sure that the RAM is flushed to the disk.

We also backed up our flushing with few "sync"'s and "sysctl -w vm.drop_caches=3"'s on Chew.

So at this point both Chew and Jeti had the same data and we have the outage only for several minutes, yessss, we did it boss! It was time to stop the RAID, zero the superblocks, on Chew logout from Jeti and reconfigure the clients to use the new storage. It is only a few minutes and then the guests can restarted.

This worked on few machines but then shit happened.... we started to see IO errors on some machines, so after a bit cursing and switching back to Chew on those machines we started to inspect the situation.

We wasn't able to find the error in the above described process. We suspect that some caches didn't get flushed the disk but wasn't be able to locate them. So very disappointedly went home that day. At this time I, as I written earlier, I was sleeping very little... so after that terrible day I slept almost 16 hours in a row, oh man that was gorgeous! When I woke up I came up with the polished and final solution.

The aim was to synchronise the two storages for the virtual machines... so why don't we synchronise them on the host side, at the very last place before the guests, and let the whole stack do the caching as it wants to do and don't bother with it!

So we attached Jeti's storage to the host machines, running the KVM guests, through iSCSI and did the synchron (of the two iSCSI targets) there with mdadm. Now we had the downtime at the beginning of the process because we had to detach the original (Chew) iSCSI storage and do the LV grow then reattach the storage. Then we build the RAID 1 devices and started the guest machines on that, the RAID sync finished after powering on the guests.

Great success! The second method worked flawlessly and we migrated all of our machines without future gotchas. Plus, because we left the machines on RAID devices we will be able to do further migrations without downtime. So as Antoine de Saint-Exupe said: "Perfection is achieved, not when there is nothing more to add, but when there is nothing left to take away.", we get over the first crazy looking process and get a much nicer process and future default config: running on RAID 1 devices despite when we only have one storage for that, to be able to migrate without downtime at the future.

I hope that you have enjoyed this small story and if you know why the hell the first method not worked feel free to drop me a line!

Keep hacking! Cheers!

SCP Agent Forward-dal

Felmerült a feladat, hogy SCP-zzek olyan gépre ahova csak SSH Agent Forward-dal lehet bejutni. (Igazábol egy SCB követelte meg a dolgot.)

A probléma az, hogy az SCP alapból nem továbbít SSH Agent-et. De szerencsére rátaláltam erre az írásra,  ami megadta a megoldást.

A probléma gyökere az, hogy az SCP amikor meghívja az SSH-t akkor alaból kikapcsolja az Agent továbbítást, és ezt nem lehet felülbírálni sem a ~/.ssh/config szerkesztésével, sem a -A parancssori opcióval.

Szerencsére van az SCP-nek egy -S opciója, ahol meg lehet adni, hogy milyen SSH binárist futtasson. Így ha írunk egy wrappert, ami kiszedi a default Agent Forward tiltást az SCP által az SSH-nak átadott opciókból akkor nyert ügyünk van. Mentsük el a következő 3 soros kis script-et valami néven, például ssh-wrapper, adjunk rá végrehajtási jogot

#!/usr/bin/perl

exec '/usr/bin/ssh', map {$_ eq '-oForwardAgent no' ? '-oForwardAgent yes' : $_} @ARGV;

majd ezek után az SCP-t futtassuk a következő módon

$ scp -S ./ssh-wrapper some-file my-server:

végül dőljünk hátra elégedetten!:)

Make parallel script in bash

I have a script what does thing as processing a file line-by-line. I modified this script to do parallel processing like follows:

#!/bin/bash

MAXJOBS=3

while read line; do
  ( echo "do thing with $line" ) &
  
  while [ "`jobs -p | wc -l`" -ge "$MAXJOBS" ]; do
    sleep 1;
  done

done < input.txt

wait

It starts the sub processes and if the count is as great as MAXJOBS then waits. At the end of the script the wait waits all the remaining processes.

UPDATE: If you need som for example grepping before on the input you should use:

...
done < <(cat input.txt|grep '#')

wait

instead of

cat input.txt|grep '#'| while read line; do

Files in directories

I was playing with some rsync-ing nowdays and somehow there was more files than I was expecting. Tons of files... I was wondering how to find out where are those files in the huge directory structure.

My solution was this:

find -L . -maxdepth 1 -mindepth 1 -type d -exec /bin/bash -c 'echo -n "{} "; find -L {}|wc -l' \; | column -t

It prints the file count of the directoryies where you run.

With the help of this pice of .... hmmm... beauty, I was able to find thousands of files that neadn't to be there.:)

It works like follows:

stone@home:/usr/src/linux-headers-3.0.0-14$ find -L . -maxdepth 1 -mindepth 1 -type d -exec /bin/bash -c 'echo -n "{} "; find -L {}|wc -l' \; | column -t
./kernel         28
./arch           8032
./ubuntu         28
./Documentation  57
./virt           3
./drivers        1673
./tools          51
./ipc            2
./scripts        241
./crypto         6
./include        2670
./usr            3
./security       24
./sound          240
./net            194
./block          4
./firmware       2
./fs             221
./mm             4
./samples        19
./lib            21
./init           3
stone@home:/usr/src/linux-headers-3.0.0-14$ 

Goodby Unity, Wellcome Xfce (some tweaks to make me happy)

I was fed up with the Unity and Gnome3 thing. I wanted to get my Gnome2 back and the old just works feeling. So I switched to xubuntu...

I was happy after configuring the panels to mimic the old Gnome2 but had to do some other tweaks to get the old feeling.

First was the annoying habbit that windows jumped between workspaces (for example when clicking a link in Thunderbird made my Chrome to jump to the same workspace) but after a bit Goggling I found the solution:

xfconf-query -c xfwm4 -p /general/activate_action -s none

to get the old scrollbars do:

apt-get remove overlay-scrollbar liboverlay-scrollbar*

Now I am completly happy!:)

Bitcoin -- money of the future

Bitcoin is a P2P virtual money what is used as real money on the Internet for several years now. Some sais that this is the greatest innovation and the most dangerous thing since the born of the Internet. It is fully anonymous, decentralized and secure payment system. It doesn't needs a central authoritative to make it work and even governments can't control, tax or stop it. But for me the mathematics and the idea what makes it work is the greatest about it.

First of all it is backed up with RSA. So you have your private and public key (you have more actually to make it more private) and you can spend and receive money with them. Second it is backed up with a clever distributed time stamping solution to prevent double spendings.

Bitcoin as it is a chain of transaction blocks. This chain is maintained by the whole network and contains all transactions since the beginning (if it gets very long, there is ways to compress it). When you want to spend your money you concatenate the amount of money, the last blocks signature wih the recipient's public key and sign them with your private key then broadcast it on the network.

Clients do a proof-of-work process to include all new transactions in the chain. They form a block with the last block's signature, the new transactions and a special random part. This last random part is what is the prof-of-work. The client have to guess this part as to make the new block's hash (sha256) start with a fixed amount of zeros. Finding this kind of block is hard, the whole network can find just one in every ten minutes. When the machines become fast or the network grows the number of required zeros will grow.

So you have this chain of blocks with many zeros, does it good for you? Yes, because if your transaction is in the chain and is followed with several new blocks you can be sure that it is extreme hard to double spend that money what you got. Only an attacker who owns the majority of CPU power of the network can undo a transaction, and this scenario is very unlikely.

Every client works on his chain as it knows it and computes the proof of work. If a longer chain appears (some other client manages to do the work) it switches to it. Always the longest chain considered to be the real one. This is why the majority of CPU power rules the thing, because they can make the chain grow faster. An attacker's alternative chain will fall behind fast and gets ignored by the network and the first real spending remains the true.

How can someone get coins to spend? How Bitcoins are created? Since there is no central issuer Bitcoins materializes from thin air. There is a limited amount of Bitcoins can exists (21.000.000, but the smallest amount is 0.00000001 BTC, so inflation will take care that there will be enough for everyone) and till this amount is not created (the creation slows as time goes by, around 2100 will the last created) Bitcoins given to those who creates the proof-of-work. Those who does this coin creation seriously called the Miners. But Bitcoins can be exchanged from any ordinary money too (I think it can be a good investment as the price of Bitcoins rises).

As you can see the thing works. The details and the proofs for the method can be found in Satoshi Nakamoto's paper Bitcoin: A Peer-to-Peer Electronic Cash System. You can get the program from www.bitcoin.org and start using Bitcoins. You don't need to register, just run the program. It is available for Linux, OS-X and Windows. The Bitcoin users and accepting businesses number grows rapidly.

Rename Cyrus IMAP folders

I had the task to restructure some shared IMAP folders on our IMAP server running Cyrus.

I come up with the following solution.

1. Rename the IMAP folder in cyradmin with the renm fromwhat towhat command


2. Adjust all users subscribed folder list by issuing the following command in the /var/lib/cyrus/user directory:
   
   

   find . -iname '*.sub' -exec sed -i 's/fromwhat\x09/towhat\x09/' {} \;

   
   

This did the thing for me. Cheers!:)

Secure wireless gateway

I'll go to abroad in the near future. At the hotel there will be Internet connection at the room, but only wired. I'll take my Android phone and my laptop, so I'll bring a small wireless router with me too. It is a Fonera 2g as hardware but runs OpenWrt.

As I'll have my own AP there why not secure my connection? I also have a private server somewhere at the USA, so I fired up an OpenVPN connection between my router and my server, and redirected all data through it. So now I'll have unsniffable connection in the hotel.

How I did it? It was easy after putting the VPN together (was also wasn't a big deal). Here is the recipe:

First I configured the OpenVPN normally but added the redirect-gateway at the end of the client config file, to make it redirect the default gateway through the VPN. After that I enabled it at boot time with

/etc/init.d/openvpn enable

I've edited /etc/firewall.user and added the next 3 lines to it:

iptables -I forwarding_rule -i tun+ -o br-lan -d 192.168.6.0/24 -j ACCEPT
iptables -I forwarding_rule -i br-lan -o tun+ -s 192.168.6.0/24 -j ACCEPT
iptables -t nat -I POSTROUTING -o tun0 -j MASQUERADE

where 192.168.6.0/24 is my wireless IP network.

And that's all. If now I boot the router it automatically connects to VPN and after redirects the gateway through it.

How to block ads in Opera?

As far as I know (after 1 hours of goggling:)) I've found that the solution provided by http://www.fanboy.co.nz/adblock/opera/ is the best source for blocking ads in Opera. Just download http://www.fanboy.co.nz/adblock/opera/urlfilter.ini and put it on your Opera directory (described at the begining of the file) and voi la it blocks ads.