Olav Vitters

This year I’ll help out at the World Port Days in Rotterdam. It is an event where the various things related to the port are shown. They’re expecting around 350.000 visitors. I’ll help at the Maersk stand on Sunday afternoon (2 pm onwards). The stand is located next to the Dutch Navy at the Parkkade (right hand side). It should be easy to locate as there will be a ship from Norfolkline alongside which people can visit (stand is about 60m wide).

Stuff at the stand:

• Info about how Maersk brings seawater from the Pacific Ocean to Rotterdam for the Oceanium. Apart from a cinema there will be a few people from Blijdorp to answer questions. The Oceanium is really nice (I went to a ‘behind the scenes’ tour at the Oceanium a while back).
• A working reefer container (not sure which temperature it will be set at)
• Solar boat from TU Delft (Maersk sponsors this). Apart from the boat there will be a flat screen with more info, etc.
• Other stuff like a free ringtone (Bluetooth), APM Terminals stand next door, picture board, etc (there are just too many things to list).

Noticed that I got a bounce message from dict-notifications at fsa-bg org after a commit to SVN. This triggered an email to svn-commits-list which this address was subscribed to. Of course, such bounces are very annoying so I’ve unsubscribed that address. I do wonder why I didn’t see any complaints in a place meant for this (gnome-sysadmin, gnome-infrastructure, support@, mailman@, …).

Up to today LDAP replication was done using slurpd-style replication. In this setup the LDAP master pushes changes to the various slaves. For this to work the slave must be accessible by the master. This was setup using encryption (self signed certificates). This replication method is deprecated as of OpenLDAP 2.3 in favour of ‘syncrepl’. OpenLDAP 2.4 doesn’t even have slurpd-style replication. Changing the replication method is important as I want to be able to upgrade to RHEL6 without being forced to do other changes at the same time.

The biggest drawback about slurpd is that it only replicates the changes. Meaning: If you have a new slave, you first have to stop the master, dump the database, then load this database on the slave, then start the slave and the master. Really annoying and during this time your master LDAP server is down!

With syncrepl-style replication the slaves contact the master. Slaves are now called consumers and the master is the provider. I don’t like consumers contacting the provider as I don’t want a security issue on some external host to cause security problems on the LDAP master db. I’ve tried to minimize the risk by using encryption (self signed certificates, server won’t accept any other certificates), using iptables, restricting the LDAP logon to just one user (to ensure brute forcing userPassword entries by logging in often will not work), not replicating the userPassword attribute, not allowing database modifications from external clients and some ACL restrictions.

There are two things I like about syncrepl.

1. After it connecting with the provider it checks the consistency of the database. At one point the SVN machine missed just one uid entry. That person couldn’t log in. With sycnrepl such a problem is not possible (ignoring possible config errors like ACLs).
2. You can restrict what is replicated to the slave using ACLs on the master.

Syncrepl has two ways of working, using refreshOnly it checks for LDAP changes every x minutes (configurable). This isn’t as nice as slurpd as I want all LDAP changes to be propagated instantly (even if the SSH sync script only runs once an hour). Fortunately it also has a refreshAndPersist, where it first checks and then waits for change notifications from the provider.

Tips to ensure a working syncrepl:

• Make sure the DNS entry points to the right server
• Make sure that DNS entry has not been manually added in /etc/hosts
• Make sure the userid running slapd can actually access the various certificate files
• If you test using ldapsearch, make sure /etc/openldap/ldap.conf has a TLS_CACERT entry
• Make sure the TLS_CACERT file can actually be read by the user running ldapsearch
• slapd (etc) -d 1023 contains the debug messages, you won’t find them anywhere else (by default)
• Kill any running nscd and wipe it off the system
• etc etc etc

Really excited that possibly we’ll have a Akademy and GUADEC at the same place next year. I’m starting to see KDE at this GUADEC already:

Yeah, not entirely the same, but it is still 2008, not 2009.

There will be a Bazaar demo today at 15.30 in the Medium room. This wasn’t on the schedule before. They’ll demonstrate not only how to use Bazaar (using the Bzr mirror), but also show a few new features (o.a. search). Another item is a playground server, allowing GNOME people with SSH keys to store their own branches. If you are interested in DVCS and/or Bazaar, suggest to attend this demo. It will be an open demo, feel free to ask them to demonstrate whatever you’d like to see. I’d love questions about how Bazaar could make your workflow easier (supporting what you do easily).

As preparation for next years combined event, I already noticed one KDE dude at GUADEC:

He said he’d participate in the GNOME release team meeting as well (starting in 20min).

I’m planning to stay at the following hotel: Istanbul Hotel Ipek Palas. Some other crazy Dutch guys will be staying there too (so you don’t have to prepare a map or something.. just rely on them 😉 ). Need a roommate though, anyone interested? I’ll arrive Sun 6 and leave Sat 12. If so, mail me, or post below. The hotel has free wifi btw.

<saned> hello. I'm wondering whether http://l10n.gnome.org/ has been defaced...
<saned> it says "Damned Lies about GNOME"
<saned> is it some kind of joke?

Weird. I think that just thinking about something like that being possible is very weird. Planet GNOME is one of the aggregators which shows every post, always (a full feed is often requested). The only exceptions (AFAIK) being: bugs, bugs and bugs (either planetplanet, GNOME server or when there is a server problem with the feed).

So to question the openness of GNOME Planet.. weird. I thought pgo had more trust than this. Wonder what can be done to change this impression.

I also don’t agree with:

Furthermore censorship on a service provided by those who consider themselves advocates of freedom and liberty is hypocritical to say the least.

Start a personal attack on a GNOME service and you can forget about mentioning freedom. Furthermore, freedom/liberty is to be able to announce something, not about being able to do that anywhere you please. Meaning: if GNOME provides a service, GNOME decides on what is allowed (but don’t forget about the beginning of this blog).
Lastly, I don’t see GNOME as an advocacy of freedom and liberty (just free software).

Why is Git for some only the one perfect DVCS and no discussion is possible? From Git is the only DVCS caring about performance incl outdated benchmarks, to the ‘all DVCS’ systems are hard’ and lastly ‘switching VCS systems is easy’. Regarding the latter, who is going to do the conversion? I am fully willing to do Bazaar (perhaps Mercurial.. I’d first would have to investigate that). But Git? Even a ‘am I capable?’ would dismiss me from doing that. Anyway, from following the stuff before the CVS->SVN switch, to fixing loads of things afterwards, switching a VCS system not at all as easy as some make it out to be. Just the under estimation makes me worry.
When I see something which is broken, I cannot just leave it without trying to fix it (aside from lacking time and if I am able to, but ‘able’ is pretty easy with root access). From DNS stuff, to LDAP, accounts process (Mango), SVN repos creation, etc. Although I’d really love if more GNOME sysadmins would be active… anyway, if Git is considered to be the only option and the attitude regarding the ease of switching stays the same, I do not want to have the ability to fix whatever was forgotten or broken.