today's howtos

posted by Roy Schestowitz on Mar 09, 2023

• The GraphicalEmoji hack

  Yes, really. In order to make the emoji render correctly, I had to instruct the browser to render it in Times New Roman because that does not have the emoji defined. It will then fall back to the system font, giving us the ⚠️ that we truly desire.

• 2023-03-07 How to View Hidden Files and Folders on Linux

• 2023-03-07 How to install Pinta on Linux Lite 6.2

• 2023-03-07 How to install OpenBVE on a Chromebook

• 2023-03-07 GNU Nano Keyboard Shortcuts

• 2023-03-08 How to Set Up a Go Development Environment on Linux

• 2023-03-08 How to Set the Date and Time on Linux

• How to Install ProcessWire CMS on Debian 11

  ProcessWire is a PHP-based Open-Source CMS used to deploy content on the web. This tutorial will show you how to install ProcessWire CMS on Debian 11.

• Getting Rid of Shared Secrets: The Major Design Flaw of All CI Systems

  Traditionally, engineers generated a long-lived SSH private/public keypair and stored this within the secrets store of their CI provider, where it can be accessed by their workflows.

  Since this keypair is stored in the CI platform’s secrets manager, this gives an attacker a new option: targeting the platform itself. This has become more common in recent years as the number of credentials stored in CI platforms makes them a lucrative target.

  If exfiltrated this long-lived credential gives the attacker months, or even years, to explore your systems.

  To fix this situation, let’s make CI runner’s credentials short-lived by using certificates. This solution also lets us get rid of the secrets manager.

  Our CI runner will submit its public key and proof of identity to get a signed short-lived certificate from a certificate authority (CA). This not only lets us issue a short-lived credential, but also means that no private keys are ever transmitted over the network.

• ANSI colours aren't consistent across X terminal programs

  Beyond the colour shifts in Gnome Terminal, there are other interesting colour changes from what you might expect. For instance, in all terminal emulators, the result of rendering 'normal' white coloured text in a black on white terminal is not invisible white text, but a greyish colour that remains somewhat readable. There are also 'faint' versions of basic ANSI colours, and the interpretation of faint white text on a white background isn't necessarily what you'd expect and varies quite a bit between terminal programs (with urxvt seeming to ignore the faintness entirely for all colours).

• The system that spent a lot of time doing nothing, repeatedly

  But in today’s “war story,” the customer was seeing an odd issue—the number of writes to disk was remaining low as expected, but reads and CPU usage were quite high. Performance profiling revealed that the biggest consumer of CPU time was the checksum algorithm, SHA256.

  When overwriting a file in place, NOPWrite calculates the hash of the new block, and compares it to the stored hash of the existing block. If the old hash matches the new hash, then the write can be skipped. This customer was using SHA256 hashes with a CPU which did not support any SHA-NI acceleration, so Klara recommended switching to the SHA512 checksum. (Counterintuitively, SHA512 hashes can be calculated around 50% faster than SHA256 hashes on 64bit x86 CPUs.)

  The change in hash algorithm provided a significant performance boost, but did not explain the amount of overhead, or the reads from disk.

  Further analysis revealed the problem: the overwrites were mis-aligned. The incoming random access writes were in 64 KiB blocks, but on disk the data was stored in 128 KiB blocks (the default value of the recordsize property). This required ZFS to perform a read/modify/write cycle on each record.

• Converting incoming emails on the fly with OpenSMTPD filters

  This little adventure began with me being annoyed at DMARC aggregate reports. My domain doesn’t have enough email traffic to justify routing DMARC emails to some third-party analytics service, yet I want to take a brief glance at them. And the format of these emails makes that maximally inconvenient: download the attachment, unpack it, look through some (always messy but occasionally not even human-readable) XML code. There had to be a better way.

  This could have been a Thunderbird extension, processing the email attachment in order to produce some nicer output. Unfortunately, Thunderbird extensions no longer have this kind of power. So I went for another option: having the email server (OpenSMTPD) convert the email as it comes in.

  Since I already had the implementation details of OpenSMTPD filters figured out, this wasn’t as complicated as it sounds. The resulting code is on GitHub but I still want to document the process for future me and anyone else who might have a similar issue.

• How to Install Wallabag on Rocky Linux 9

  Wallabag is a read-it-later kind of service. It allows you to save webpages to read them later at your own leisure pace. This tutorial will cover how to install and set up Wallabag on a server running Rocky Linux 9.