/dev/root

Recently as a good Apple geek I got an iPhone on my last trip to the US, and got it unlocked so I could use it with my Swisscom SIM Card.

I’ve been a happy camper all along, got a nice business data package (50Mb per month) and also the roaming preferential package (CHF 5 per month) so the price per Mb of transfer while roaming would be lower (CHF 3 instead of CHF 14).

The iPhone works wonderfully in Switzerland’s Swisscom network, the phone takes advantage of the extended EDGE Swisscom network so I can fully use Google Maps or check the weather or my e-mail no matter where I am, even in the middle of the Alps, all of this joy turns into a nightmare when roaming in foreign countries.

This last month I’ve been visiting the UK and Spain for business affairs, being confident of the iPhone’s ability to measure EDGE/GPRS traffic I used Google Maps to guide myself around London city center and to find good restaurants in Barcelona, all of this only consumed 1.9Mb of transfer (800kb upstream and 1.1Mb downstream) so I was expeting a 2Mb or a 3Mb charge maximum.

I’ve got a 28.6 Mb charge, which amounted to CHF 140 approximately.

To my disbelief I called immediately Swisscom customer line, even if the helpdesk was a bit harsh at first (calling me a liar for saying that the bill was wrong) I finally got them to pass me through to a technical support person, which helpfully investigated the matter.

I’ve got a call back from the technical support to confirm that the bill amounted to 28.6Mb due to the fact that Swisscom roaming partnerships force Swisscom to charge a minimum of 30kb per session (up t0 a minimum of 300kb per session in Spain!!!), and they consider a session each time the telephone connects to the GPRS network, so this means that each time that I was checking Google Maps in Spain I was being billed 300kb even if I was using 1kb or 2kb maximum, a shameful ripoff.

Even if I kept complaining about this fact pointing out that it’s not my problem that Swisscom has such a bad partnership deals of which I were not warned about at any time, I’m now forced to pay the full bill and I’ve been told by the technician that my telephone is defective and I should get another one that only connects into the GPRS network once and leave the connection open so I can avoid multiple charges, so it looks like now an iPhone is defective in Swisscom eyes, amazing.

This is the kind of treatment and very user unfriendly deals that screws up us European users, and the kind of torment that Canadian users of Rogers suffer as well, this telephone is clearly ahead of its time and it looks like it’s way ahead the comprehension of my mobile phone network, which is not up to the challenge of making a user friendly comprehensible charging data network.

Shame on you Swisscom.

If you don’t have Mac OS X Leopard server you have a Samba implementation limited mostly to home directories and a lot of borking around, if you’re a typical Unix Admin as I am you’ll want to take things in your hands and add the shares you want yourself in the command line.

Leopard uses Samba 3 and its own authentication and locking methods connected to its auth layer and afp locking so a typical samba config file won’t work, it also has a dynamically modificable part which is configured via System Preferences.

This is not the smartest method neither prepared for faint hearted people, but it’ll work if you’re used to Linux.

If you had samba already working on Tiger the changes are only at locking, vfs and user auth, which is what enables all the new Leopard system to work properly.

This are the exact changes from Tiger to Leopard


# Changes affecting user mapping and authentication
passdb backend = odsam
idmap domains = default
idmap config default: default = yes
idmap config default: backend = odsam
idmap alloc backend = odsam
idmap negative cache time = 5
obey pam restrictions = yes
security = USER
auth methods = guest odsam
ntlm auth = yes
lanman auth = no
use kerberos keytab = yes
com.apple: lkdc realm = LKDC:SHA1.xxx
realm = LKDC:SHA1.xxx


# Changes affecting the FS interaction and locks
vfs objects = darwinacl,darwin_streams
use sendfile = yes
ea support = yes
darwin_streams:brlm = yes
enable core files = yes
max smbd processes = 10
log level = 1
map to guest = Bad User


You want to take a look at the realm SHA1 strings since they’re dependant on your installation, you can always check the new /etc/smb.conf in Mac OS X Leopard and then merge it up with your previous config, or replace the config as I did and just add this.

The Leopard samba configuration is brilliant, but at the same time limited to push you to buy the Server version, at the same time it’s interesting to play with the includes it adds too, but this at least will get your previous samba config out and running fine.

45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2

09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

This is specially helpful if you are using your Apple TV wireless adapter instead of plugging it directly to the network with an Ethernet cable.

This small tweak assumes that you already have sshd access to your Apple TV, if not please check out AwkwardTV on how to do that.

I had some problems watching HD DivX files in my AppleTV, they were skipping frames and freezing in the most awkward moments, I have all of my files in a mac mini and shared on the network using AFP. The files are mounted in the Apple TV using the ATVFiles plugin and the aTV-ShareMounter plugin.

What needs to be added to give the network buffer enough buffer space on the network is tweak the kernel options at startup, that can be done as in Mac OS X editing the file /etc/sysctl.conf which in the Apple TV version of Mac OS X does not exist by default, you’ll have to create it, don’t worry I’ll put here two quick ways to do it.

How to edit /etc/sysctl.conf (if it does not exist)

First Option - The fast kamikaze strategy (will work for everybody, but be really careful!).

echo “kern.ipc.somaxconn=512″ > /etc/sysctl.conf
echo “net.inet.tcp.mssdflt=1460″ >> /etc/sysctl.conf
echo “net.inet.tcp.sendspace=98304″ >> /etc/sysctl.conf
echo “net.inet.tcp.recvspace=98304″ >> /etc/sysctl.conf
echo “kern.ipc.maxsockbuf=1048576″ >> /etc/sysctl.conf
echo “net.inet.udp.maxdgram=57344″ >> /etc/sysctl.conf
echo “net.inet.udp.recvspace=42080″ >> /etc/sysctl.conf
echo “net.local.stream.sendspace=98304″ >> /etc/sysctl.conf
echo “net.local.stream.recvspace=98304″ >> /etc/sysctl.conf
echo “net.inet.tcp.delayed_ack=0″ >> /etc/sysctl.conf
echo “net.inet.tcp.rfc1323=1″ >> /etc/sysctl.conf
echo “net.inet.tcp.rfc1644=1″ >> /etc/sysctl.conf
echo “net.inet.tcp.newreno=1″ >> /etc/sysctl.conf

Second Option - The slow wise monk strategy (this will work in all cases)

Edit a sysctl.conf in your computer (just be sure that if you’re in a Posix system you’re not editing your local /etc/sysctl.conf).

Add these values to the file

kern.ipc.somaxconn=512
net.inet.tcp.mssdflt=1460
net.inet.tcp.sendspace=98304
net.inet.tcp.recvspace=98304
kern.ipc.maxsockbuf=1048576
net.inet.udp.maxdgram=57344
net.inet.udp.recvspace=42080
net.local.stream.sendspace=98304
net.local.stream.recvspace=98304
net.inet.tcp.delayed_ack=0
net.inet.tcp.rfc1323=1
net.inet.tcp.rfc1644=1
net.inet.tcp.newreno=1

Copy it to your Apple TV through scp and make sure it ends up in its correct position at /etc/sysctl.conf on your Apple TV

The changes you do will be available on the next reboot, I find it better to do it this way so you’re 100% sure that all the changes are loaded at the same time.

I hope this solves Leo Laporte streaming problems to his Apple TV ;)

Trunking between this equipments is problematic at best, the meaning of trunk in the 3com is not the same as in the Catalyst, also the vlan methods are not the same either.

Trunk in the 3Com SuperStack is port aggregation between two 3Com devices, whether in the Cisco is really a downlink trunk, luckily both devices speak 802.1q so the trunk configuration shouldn’t be a big problem.

First of all we need to establish the trunk port between the Catalyst and the SuperStack, so we’ll start by defining the port in the Catalyst.

interface FastEthernet0/14
description Trunk to 3com 3300
switchport access vlan 905
switchport trunk native vlan 905
switchport trunk allowed vlan 10,11,13,14
switchport mode trunk
speed 100
duplex full

Some considerations on this config. It’s always recommended by Cisco and security-wise to use another vlan than vlan 1 for trunking, that’s what we’re doing here, also we’re restricting which vlans we will accept and retransmited to the 3Com switch.

There’s a huge implementation difference between the trunking trunking transmission between Cisco and 3Com, the 3Com switches tag all the vlans by default, but the Cisco switch won’t tag the trunk vlan, this is a really annoying factor that made me waste some hours!

The trick resides in adding all the vlans tagged into the port that you’re using as a trunk, you don’t really need to add the trunking vlan that you configured back on the cisco, it doesn’t work that way. So let’s add one by one all the vlans in the trunk port. In order to do that we need to use the bridge menu in the 3com switch.

Select menu option (bridge/vlan): addPort
Select VLAN ID (1-4094) [1]: 10
Select Ethernet port (1-12, all): 12
Enter tag type (none, 802.1Q) [802.1Q]: 802.1Q

Repeat this in the trunk port for each vlan you’re adding in the Cisco trunk side. When you have your trunk port configured properly (also be careful with duplex and speed configs) you just need to add the ports into the vlan untagged. So let’s say we want to add port 1 to the vlan 10.

Select menu option (bridge/vlan): addPort
Select VLAN ID (1-4094) [1]: 10
Select Ethernet port (1-12, all): 1
Enter tag type (none, 802.1Q) [802.1Q]: none

As soon as that’s done the port will be talking head to head with all the other ports in vlan 10 also in the Cisco switch.

The difficult thing is making the 3Com switch accesible through an IP address, since the 3Com switch will only publish its public IP address though VLAN 1, this one is a though cookie.

After a horrible week fighting against CentOS 4 and our firewalls deployment. I’ve found several incompatibilities (albeit already documented) with this machines and CentOS 4.

There were 2 different problems affecting this machines.

Keyboard not working after kernel boot, non responsive.

This happens even when installing the machine, I had to install this machine in graphical mode (it works when booting in graphical mode) but it didn’t work at all on a forced text installation.

This bug can be solved disconnecting the USB subsystem in the BIOS, after that the keyboard is operative again.

Machine freezes with a kernel panic after approx 24h. of operation, no logs or traces left.

This one was a hard bone to catch! Did a memory test, updates both BIOS and network cards firmware to the last version and did several extended checks on the hardware, there was not a single error.

After roaming around the RedHat and CentOS forums for a while looking for an answer, I saw a similar error in RedHat RHEL4 (the one CentOS is based on) about an xServer that had the same problem. It seems the problem is realted with the old version of ACPI this motherboard has, and it only happens with 2.6.9-42.x.EL versions of the kernel, just adding the noapic option in /etc/grub.conf to the kernel boot solved the issue.

title CentOS (2.6.9-42.0.8.EL)
root (hd0,0)
kernel /vmlinuz-2.6.9-42.0.8.EL ro noapic root=LABEL=/
initrd /initrd-2.6.9-42.0.8.EL.img

After this interesting article in Digg I decided out of boredom to try this up myself, here’s the result.

After this I noticed that the concurrent file limit by default in Mac OS X is quite low! Only around 200 processes per user, which even if it’s more than enough for most users sometimes depending on what you do you need more ;)

Mac OS X respects the sysctl.conf kernel parameter file as most unix do, so it’s just a question of adding the following parameter there:

kern.maxproc=2048
kern.maxprocperuid=512
kern.sysv.shmmax=167772160
kern.sysv.shmmin=1
kern.sysv.shmmni=32
kern.sysv.shmseg=8
kern.sysv.shmall=65536

I noticed after raising the processes value that the shared memory values where low as well, so it’s a good option to change them all at the same time.

Of course this configuration is not really recommended for machines with less than 1Gb of RAM, so be careful!

Also you need to raise the limit on launchd, launchd is Apple replacement for initd and it manages the initial limits for users.

Just edit (or create /etc/launchd.conf) and add:

limit maxproc 1024 2048
limit maxfiles 2048 4096

There have been lately a huge increase in spam due mainly to botnets, spammers also have shifted their spam methods, using embedded images and obfuscating techniques to avoid OCRs.

This two factors together mean that I’ve got a lot more work maintaining my spamassassin installation :) and also that the standard config or some deviations on the scoring is not good enough, even with score tweaking I still got lots of Stocks and embedded gif spam, after some checking around I found some solutions in Rules Emporium. Also updating is a must so try always to keep up to date, right now I’m running Spam Assassin 3.1.7.
Finally after some tweaking and more tweaking I arrived to this config:

• Auto White-list and Bayes using MySQL DB Engine
• user_pref integrated into our user control panel
• Razor2 integration
• SPF Integration
• Score tweaking
• New rules added using Rules Emporium ImageInfo and Stock Rules

With this method the false positives have gone down and the stock and image spam is being stopped (finally!).

The Rules Emporium ImageInfo plugin consumes a lot less CPU than using an OCR plug-in and even if it’s based on broader rules it catches even the hardest embedded image spam, you can get the plugin here. Also the stock ruleset got rid of most of the stock spam that I was receiving, this spam is quite hard to guess indeed! You can get the ruleset here.
Here is the final tweaked local.cf config in SpamAssassin

required_score 3
report_safe 0
rewrite_header Subject [SPAM]
use_dcc 0 # DCC is quite useless
use_razor2 # Activate Razor 2 module
razor_timeout 10
lock_method flock # For local bayes files
use_bayes 1
use_auto_whitelist 1
bayes_store_module Mail::SpamAssassin::BayesStore::SQL
bayes_sql_dsn DBI:mysql:spamassassin:bayesdb
bayes_sql_username mail bayes_sql_password xxxxx
bayes_auto_expire 1
bayes_auto_learn_threshold_spam 3.5
bayes_auto_learn_threshold_nonspam 0.1
bayes_use_hapaxes 1
bayes_journal_max_size 20000 # This doesn’t affect SQL
bayes_expiry_max_db_size 50000 # This doesn’t affect SQL
auto_whitelist_factory Mail::SpamAssassin::SQLBasedAddrList
user_awl_dsn DBI:mysql:spamassassin:bayesdb
user_awl_sql_username mail
user_awl_sql_password xxxxx
user_awl_sql_table awl
user_scores_dsn DBI:mysql:spamassassin:control_panel
user_scores_sql_username mail
user_scores_sql_password xxxxx
report_contact abuse@devroot.org
# Score increases (manually change scores)
score RAZOR2_CHECK 2.000
score RAZOR2_CF_RANGE_51_100 2.000
score BAYES_99 3.500
score BAYES_90 3.000
score BAYES_80 2.500
score HTML_IMAGE_ONLY_04 3.000
score HTML_IMAGE_ONLY_08 2.500
score HTML_IMAGE_ONLY_12 2.000
score HTML_IMAGE_ONLY_16 1.500
score HTML_IMAGE_ONLY_20 1.000
score HTML_IMAGE_ONLY_24 0.500
score MIME_HTML_ONLY 1.100

Also it’s important to have this modules loaded in your v310.pre file:

loadplugin Mail::SpamAssassin::Plugin::Pyzor
loadplugin Mail::SpamAssassin::Plugin::Razor2
loadplugin Mail::SpamAssassin::Plugin::SpamCop
loadplugin Mail::SpamAssassin::Plugin::AWL
loadplugin Mail::SpamAssassin::Plugin::AutoLearnThreshold
loadplugin Mail::SpamAssassin::Plugin::WhiteListSubject
loadplugin Mail::SpamAssassin::Plugin::MIMEHeader
loadplugin Mail::SpamAssassin::Plugin::ReplaceTags
loadplugin Mail::SpamAssassin::Plugin::ImageInfo # RulesEmporium

The way to install the additional config and plugins should be as follows:

Copy the new .cf (configuration) files into the directory where SpamAssassin keeps the configuration in your install. In Red Hat machines this directory is /usr/share/spamassassin.

Copy the new .pm (modules) into the SpamAssassin PlugIn module which is by default /usr/lib/perl5/vendor_perl/5.8.3/Mail/SpamAssassin/Plugin/ (this directory of course, is for Perl version 5.8.3, change the version to the one you have installed).

Don’t forget to restart SpamAssassin after adding the new files!

It’s always a good idea to start spamd with -D after activating modules, since most of the times you’re missing a perl module which one of your modules have a dependency with.

This configuration is not really CPU hungry so it’s great for people who are running on a tight server budget.