Archive for the ‘Uncategorized’ Category

Converting an AMI to an AMI that boots off of EBS

December 8, 2010

So I wanted to create an AMI that had some permanency (e.g. if I run “yum -y update” the system actually is updated when I reboot it next). Specifically I wanted to take the Fedora 14 AMI from, install some software on it and make it semi permanent (so I could use it as needed).

To do this you will need an EBS backed AMI. There are two ways to store an AMI image, in S3 or in EBS. S3 is a simple bit bucket and the AMI storage protocol basically boils down to “compress the disk image and cut it up into chunks, store the chunks and a manifest file in S3” so when you start an AMI it gets the manifest then downloads the appropriate chunks of data from S3, creates a disk image and fires it up. EBS actually presents like a normal disk, and changes made to an EBS volume actually change the EBS volume, so you get some permanency.

However if you terminate the instance it will still go bye-bye and any changes you made since you initially loaded it from the EBS volume it was originally created from will be gone. In order to update the AMI you will simply need to halt the running instance and take a snapshot of it, and then convert that snapshot into an AMI instance (and ideally include a version number in the name or description):

ec2-register -snapshot snap-SOMESNAP -description “A description” -name “A name 1.0” [-kernel aki-something] [-ramdisk ari-something]

For complete instructions on turning a running AMI into an EBS backed AMI please see:

But the synopsis is: run a AMI instance, create and mount an EBS volume on it, format the EBS as EXT3/EXT4, mount it and then rsync (use -a and -x) / to the mount point, create some devices like console so you can login:

# MAKEDEV -d /mnt/ebs/dev -x console
# MAKEDEV -d /mnt/ebs/dev -x zero
# MAKEDEV -d /mnt/ebs/dev -x null

and make sure you disable /dev/sda2 and whatnot in /etc/fstab (since your image may not have it setup and it will go sideways).

IPv6 and OpenBSD (Part 1)

April 26, 2010

So I finally took the plunge and got IPv6 going. My setup is pretty simple: OpenBSD firewall attached to the Internet, switch and a bunch of machines attached to the OpenBSD firewall. My ISP doesn’t support IPv6 yet (I’d be truly shocked if they do anytime in the next 5 years) so I choose Hurricane Electric as my IPv6 tunnel broker. The server setup isn’t to bad, but there are a lot of small steps:

Step1: Sign up at Hurricane Electric for a free IPv6 tunnel:

Step 2: Create a tunnel and note down the info they give you. You will get a /64 assignment which is a lot of addresses (more than you’ll probably ever need). This makes IP assigned convenient, just take your IPv6 prefix, and tack on the MAC address and you’re almost guaranteed to get a unique IP address (notwithstanding really bad network card makers).

Step 3: Setup tunnel on OpenBSD, notice the “Example OS Configurations (Windows, Linux, etc.):” at the bottom and select OpenBSD wghich spits out something like:

ifconfig gif0 tunnel your.ip.add.ress
ifconfig gif0 inet6 alias 2001:500:6666:333::2 2001:500:6666:333::1 prefixlen 128
route -n add -inet6 default 2001:500:6666:333::1

Go edit your /etc/hostname.gif0 file so it looks like this:

!ifconfig gif0 inet6 alias 2001:500:6666:333::22001:500:6666:333::1 prefixlen 128
!route -n add -inet6 default 2001:500:6666:333::1

The !command runs the command, I got tired of trying to figure out the correct syntax and just put the command in instead.

Step 4: Setup your internal interface to have an IPv6 address (hostname.fxp0):

inet6 2001:500:6666:333:123:45ff:fe1d:3456 64
inet6 alias 2001:500:6666:333:: 64 anycast

I basically choose the network card’s MAC address for the middle part of the IPv6 address, this way it is unlikely to ever conflict with anything else.

Step 5: Setup and configure the route advertisement daemon, in rc.conf:

rtadvd_flags=” fxp0″

And your /etc/rtadvd.conf should look like:


This will allow you to configure other clients to use the route advertisement daemon which basically makes IPv6 0 hassle to setup.

Step 6: IPv6 routing and routed. Edit rc.conf to enable route6d:


You’ll also want to enable forwarding of IPv6 traffic:

net.inet6.ip6.forwarding=1      # 1=Permit forwarding (routing) of IPv6 packets
net.inet6.ip6.mforwarding=1     # 1=Permit forwarding (routing) of IPv6 multicast packets
net.inet6.ip6.multipath=1       # 1=Enable IPv6 multipath routing

Step 7: Reboot, you should be good to go. To test it try something like:


The client setup is pretty easy on OpenBSD at least, during network configuration choose “rtsol” when prompted for IPv6 setup, if your machine is already setup simple edit the hostname.if file and add “rtsol” to it, this will result in automatic IPv6 configuration. You’ll also want to enable the rtsold daemon in rc.conf:


Adding an IPv6 name server to resolv.conf is also easy:

nameserver 2001:470:20::2

Reboot and your client should be ready to get an IP from your OpenBSD firewall and connect onwards to the Internet.

I want a web pad (Part 1)

April 23, 2010

I want a web pad.  I find myself using my netbooks more and more mostly because they aren’t a pain to lug around, and with an SSD an 9 cell battery I can get 8-9 hours of use (wifi, watching movies, etc.) out of it (basically a full day no problem). Like many people I’m spending more time online, what would have been “offline” tasks in the past (writing an article, replying to email, etc.) are now online activities, fact checking, etc.  in real time rather then leaving a note and waiting until later. This is finally practical, home, coffee shops, etc. all have wireless access, and if they don’t I can use my iPhone (which sucks hard for data speeds downtown but that’s another story) which has free tethering (thanks Fido). If I can’t get online there is precious little work I can do. Even my accountant agrees (they seem to embrace technology, but only if it is reliable, proven and cost effective, so they’re usually a few revs behind everyone), when his network goes out he takes off for a round of golf.

My requirements are:

  • browse the web and support JavaScript well (Gmail, Google Docs, etc.)
  • allow me to view PDF files
  • support rotate (i.e. portrait and landscape view) with no hassle
  • support 802.11 and WEP/WPA/WPA2
  • at least 6 hours of battery life
  • 9 inches minimum
  • audio jack for head phones
  • $500-600 max

My wishlist would be:

  • 11-13 inches screen size
  • audio jacks for microphone
  • as much battery life as possible
  • ability to run software I want to run (basically everything but the iPad)
  • Bluetooth for keyboard/mouse
  • Watch .avi files (movies)
  • Flash would be nice but I suspect I can live without it
  • Android or Linux based

Hardware specs: apart from screen size who gives a flip anymore as long as it does the above tasks. Seriously. Hardware is all pretty mucch fast at this point, the over reliance on specs (this one has a CPU 0.1Ghz faster than this other thing) is a bit dated I think.

Sadly I realize I’m willing to give up the ability to run software of my choosing in order to get this device. I’v already done this with the iPhone (of the 7 SSH clients I tested none are great and half are complete garbage). I am not used to having devices capable of general computing (as opposed to an MP3 player) that I don’t actually control and have the ability to run the software I want to run but I realize I’m willing to give it up for the convenience of devices like the iPhone (I feel so dirty).

So I’ve decided I will be buying a tablet/web pad (whatever we’re calling it now) this year once I can find one that doesn’t suck as bad as the iPad does in some respects.

Current contenders are:

Physical data smuggling

April 23, 2010

So with all the talk of US border services forcing people to log into their laptops and provide access to email, files on the system, the contents of their iPOD and so on I can’t help but think about physical data smuggling. This of courses ignores the fact that competent bad guys will just bring a nice clean laptop/etc. with them and then download their data once they’re in the country, but I digress.

Let’s say you have a couple hundred gigabytes of data; not something I’d want to download over a hotel connection. So how to smuggle that much data into a country that may force you to log into your laptop, or even confiscate it? Please note that this may not be “illegal” or even “naughty” data, if someone is transporting health care data they will probably be legally required to protect it and not give access to it for example.

Micro SD card on a finger tipMicro SD cards seem to be the obvious answer. Small enough to fit in a hollow coin or to swallow or insert into.. well you get the idea. I’m just wondering how long until someone posts an X-Ray online of a courier filled with condoms stuffed with Micro SD cards. Oh and 2 terabyte Micro SD cards should be available in 5 years or less.

Spotting counterfeit money

April 22, 2010

It’s about time but Canada will be moving to a plastic/polymer bill based instead of paper/linen based bills in 2011 or so. Back in 2004 counterfeit bills peaked (“The prevalence of counterfeiting in Canada and its impact on direct victims and society“) and prior to that the majority of it was $50 and $100 bills being counterfeited by one guy (Wesley Weber) who managed to put enough fake $100 bills into circulation that even now in 2010 most retailers won’t accept $100 bills.

Probably the easiest way to defeat counterfeiters is the move to plastic/polymer notes, this is a combination of the ease of checking the bills (the feel/etc. will be entirely different than current notes, even in a dark nightclub a waitress should be able to tell the difference) and the difficulty in getting the stock and printing on it (at least for now….). I remember one local store that had a counterfeit %40 pinned to the wall, it was literally 20 lb copier paper printed in an ink jet and looked more like monopoly money than real currency (the reds were saturated and bloby).

But in the meantime we’ll have to stick to the old fashioned methods of checking currency (security strip embedded in the paper, micro print, reflective metal patch, etc.). For more information on the Canadian security features see the Bank of Canada page and for American money check out (way higher production values!).

One thing you will note is a common and consistent set of features used to prevent counterfeiting of banknotes:

  • embedded metal strip in the printing stock with the value of the bill printed on the strip (prevent people from running these off on a copier or bleaching a $20 bill and reprinting it as a $100 bill)
  • metal reflective patches that refract light differently depending on the angle you view it at (like a soap bubble)
  • micro print, and lots of it (in the background, in the numbers, on the faces, etc.)
  • raised ink (and embedded braille dots for the blind)
  • water marks (printing embedded in the paper as opposed to on the paper)
  • UV fluorescence under black light
  • iodine pens, since bills are mostly linen and not paper iodine doesn’t mark the bill significantly

Hopefully this will inspire and encourage web browsers and other software makers to come up with a common set of features to help users identify the legitimacy of online web sites (my next post).