0xDEADBEEF

So, as part of the MySQL SSL Replication series, I decided that I’d look up some open source CA systems.  Because there must be something better than running openssl –fifty –thousand –options –with –no –memory –or –chceking

I found OpenCA/OpenPKI ,which looked interesting.  Except as I tried to set it up, the Ubuntu distributions were in Redhat RPMs, and after converting them they don’t appear to be actual apps.  They may have been framework prereqs of the app.  But the downloading screens were singularly uninformative.

I also found EJBCA, which I haven’t tried out yet.  Partially because OpenCA sounded decent, and I figured I’d try that first, since EJBCA looks to be a much larger Java/jboss application, and I don’t know JBoss offhand.  I’ll let you know if I get it going, otherwise I’ll do the MySQL entries with openssl.

And I meant to post this yesterday, oops.

So, first off — This week’s post was supposed to either be the next in the MySQL series or the followup to the profiling post with a visualization tool.  But I haven’t vetted the instructions for MySQL pt 2, and I need to get all the right screenshots for the tool discussion.  Sorry for that folks

Now, as for what this post IS!  Last week I had to change the hard-drive in an iMac.  The old one died, so it didn’t make sense to follow the general consensus of “just add an external drive and triple your storage it’s way easier”

Also, that kind of advice is just ANNOYING.

I did not, however, remember to take pictures.  Thought of it afterward, but I wasn’t opening the functional system just to do a photo shoot.  Here’s a forum post with links to videos and photos that I used for guidance

So, instead, I’ll explain it where I can.  Also, my system was subtly different from every example I followed, so remember: YMMV.  This was a 2006 or 2007 white Intel iMac

First off, I needed a 6 Torx screwdriver.  And the new SATA hdd.  Most of the recommendations suggested rubber cement or similiar for one of the later steps, I used my wife’s scrapbooking zots.

Step 0: Lay the mac down on it’s back, monitor facing up

Step 1:  Remove memory cover and memory modules (this procedure was explained on the base of the imac, for reference)

Step 2: Remove four torx screws from the bottom of the display; these are in line with the memory screws.

Step 3:  This step is hard.  While holding in the memory tabs, lift the case off the monitor.  The sides and face around the monitor are the part that you’re moving.  I believe in the end I took a small flat-head screwdriver and jimmied a bit to get it started so that I had something to press against to open it.  Also, once it opens a little, the memory tabs are held in by the facing, so you can move your hands to somewhere less awkward.

Step 4: Carefully lift up, bottom more than top.  Once you’re clear of the bottom of the case, keep an eye on the metal tabs and lift to bring them clear.  Also make sure you don’t pull too hard as that will mess up the iSight camera.  There should be enough play in the iSight to lean the case up out of the way

Step 5: There’s a black plastic wrapping.  Carefully pry this off around the bottom and sides (bottom was perforated and I had to break it to remove it, sides were sticky-tabbed).  At the top, above the monitor, you’ll need to carefully pry the black wrapping away from the top of the monitor, but not too far.  I again used a small screwdriver to leverage and slit along.

Step 6: In theory, all the directions said I could now lift the monitor off.  This was where mine went off the rails.  There’s a long black ribbon cable attaching something to the monitor.  I couldn’t see any way to detach it from either end, and I wasn’t willing to risk yanking anything.  So that limited how far I could move the monitor.  That’s along the middle.  On the left side, there are two sets of wires leading from the board to the monitor.  I unhooked the set nearest to me.  That gave me some play in the monitor for the remainder.  You can probably remove both and get more movement.

Step 7: I had to remove two screws from the left-hand side of the hdd.  There was a metal L-plate on that side, and it was hard to tell if the screws were for the HDD or for holding down the daughter-board.  Once you’ve removed those two, you can partially lift the HDD and pull it out to the left.  The right side of the HDD has a pair of pegs that slot into holes to stabilize, so you need to bring it enough right to clear that to remove.  But with the daughterboard in the way, you have to bring it up to clear the board.  It’s a little tinkering and magic to get both aspects.

Step 8: On the RHS of my HDD was a sensor, everything online suggests it’s a heat sensor, although I’m not really sure why they wouldn’t just use the SMART data the HDD has onboard, but whatever.  Carefully pry this off.  It’s glued, so you actually have to pry this one.  Remove the L and the pegs.

Step 9: Replace L & pegs onto new HDD.  This is where the rubber cement comes in.  I stuck a couple zots to the back of the sensor and applied it back to the harddrive.  I won’t swear it’ll stay properly, but I’m not having problems yet at least.  Slide HDD back in, screw back down.

Step 10: Replace monitor, reattaching the cables you removed (I only removed the one, so I was more cramped for steps 7-9, but I only had to remember which way one cable went in)

Step 11: Crimp the black plastic heat envelope back down and restick everywhere.

Step 12: Slide casing back on, hooking the metal clips inside the casing and being careful of the iSight cords & etc.  Hold in the memory tabs while getting the case over them.  Then carefully push the case on, squeezing it down as it gets near to done and starts to stick.  There shouldn’t be any lipping remaining, or the CD might not track smoothly

Step 13: Reapply torx screws.  Re-insert memory and close up.

Again, YMMV, and I really should have had pictures, because I know that when I was looking I wanted the pics to see what was being talked about.

One thing I’ve been looking for, on and off, is some way to view a representation of the server logs in realtime.  Basically something I can take a look at and see what’s happening.  Also, playback at a later date to see what happened at a given time.

One of the only things I found that really did that was glTail.rb, a Ruby program.  I don’t have a lot of Ruby knowledge, so I didn’t go very far with it to see how it ticks and what I could modify.

It runs the log and streams bubbles from one side representing the server traffic.  Size is determined by request/response size.  I never quite figured out what the other set of streaming bubbles really represented, since Ruby isn’t in the environment I was playing in.  As a general use tool, it seems like it would be interesting if you had all the pre-reqs installed already.  As an industry tool, I wasn’t convinced that I saw enough benefit to justify installing the prereqs.

But I don’t think “industry level” even wants a tool like this, so !

I think the most telling video is the one discussed on the slashdotting page.

This is throwing back to our previous discussion about code profiling

The tool we’re using, and which provides a lot of functionality that we really like, is XDebug.  This one, unlike APD, doesn’t appear to have an on/off runtime setting; we activate it in php.ini and it just goes.

Also, for various reasons, patching even our dev systems is a complicated and annoying process.  Luckily, we’ve mostly turned the development system into “integration”, and we all do our development on local developer workstation servers.  So we’ve patched our locals to add XDebug

zend_extension=/opt/php-5.2.6/lib/php/extensions/no-debug-non-zts-20060613/xdebug.so

xdebug.profiler_enable=1
xdebug.profiler_output_dir=/tmp/xdebug/
xdebug.profiler_append=1
xdebug.show_mem_delta=1
xdebug.trace_output_name=trace.%p
xdebug.trace_output_dir=/tmp/xdebug
xdebug.trace_options=1
xdebug.trace_format=1
xdebug.auto_trace=1

That’s activation.  Obviously the zend-extension path is just what is on my local system, it varies.

zend_extension adds it to the PHP interpreter at a base level, so it always works.

profiler_enable — turns it on

profiler_output_dir, trace_output_dir, and trace_output_name  tells it where to put the files it generates

profiler_append (& trace_options) — This flag is necessary because otherwise another process on the same interpreter (apache process) will, by default, overwrite the file.  append allows you to have it just keep adding.  It will confuse your numbers later, but I found it a little safer when I set it up.  Our other primary user has it not appending.

trace_format — this defines what format the output file should be in.  The default (0) is the human readable format.  I could never figure it out.  1 is actually the COMPUTER format, but I find it easy to read.  YMMV

show_mem_delta lets you see how the memory utilization changes between calls in the human format of the trace.

The trace file:

Version: 2.0.4

TRACE START [2010-01-22 20:12:05]

1 0 0 0.014269 53424 {main} 1 /opt/data/localhost/apache/htdocs/php.php 0

2 1 0 0.014295 53448 phpinfo 0 /opt/data/localhost/apache/htdocs/php.php 1

2 1 1 0.404662 58100

1 0 1 0.404689 58100

0.404764 26700

TRACE END   [2010-01-22 20:12:05]

The profile file:

==== NEW PROFILING FILE ==============================================

version: 0.9.6

cmd: /opt/data/localhost/apache/htdocs/php.php

part: 1

events: Time

fl=php:internal

fn=php::phpinfo

1 390321

fl=/opt/data/localhost/apache/htdocs/php.php

fn={main}

summary: 390388

0 66

cfn=php::phpinfo

calls=1 0 0

1 390321

This file is significantly less human readable than the last.  It IS however good for visualization with a tool such as KCachegrind (the file is actually named cachegrind.pid).  That will be the next ToolsDay post.  Because this one is already large, and that one has pictures!

First thing to note:  The community build of MySQL does not support SSL.  You either need the Enterprise or you need to build it yourself.

To check if SSL is enabled on your build:
log into MySQL via any account

mysql> show variables like 'have_ssl';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| have_ssl      | YES   |
+---------------+-------+
1 row in set (0.01 sec)

If it says YES, then MySQL is compiled with SSL support, otherwise a new binary will need to be generated.

Once MySQL has SSL, then you can set the configuration options in the MySQL Configuration/INI file as such (with path’s obviously modified):

[mysqld]
ssl-ca=/usr/mysql-5.0.84/ssl/ca-cert.pem
ssl-cert=/usr/mysql-5.0.84/ssl/mysql.cert
ssl-key=/usr/mysql-5.0.84/ssl/mysql.key
ssl-cipher=ALL

(The last line enables all SSL cipher modes except NULL encryption)

This assumes you have the CA Public Certificate saved as ca-cert.pem, and Public/Private key-certificate pair for your mysql server.  That will be another post

To test the functionality, log in to MySQL using an administrator account

mysql> create database test;
mysql> grant all privileges on test.* to test@localhost identified by 'testpassword' require ssl;

Then you can attempt to log in to the server as the test user:

mysql -u test -p --ssl-ca=ssl/cacert.pem --ssl-cipher=ALL

Without the ssl-cipher line, you get an SSL connection error because it does not know how to encrypt the connection that both parties can communicate; the CA certificate is required to activate the SSL connection and to validate the server, AFAICT.

You don’t technically need to use “ALL” for the cipher entries. There are a number of choices that you can select, but for the purposes of demonstration, ALL was the simplest.

Part 2 will cover more detailed user restrictions. This setup effectively only require that the connection get SSL encryption (confidentiality), but does not validate the user (authenticity).

Part 3 will implement replication over SSL.

OK, so I still want to keep this blog up.  But obviously I’m not so hot at keeping it running at full speed.

So for now, I’m going to post the first and third Tuesday of each month.  If I can get up to say 12 entries ahead in my queue, I may raise it to weekly.  But between two kids and being one of the seniormost developers at the office, I’m not always getting time to post often.  It’s a nice problem to have, I suppose, but I do like posting things here.

So, first and third Tuesday, for now.  So the next post would be 19 January 2009.  Let’s see if I can hit that rather sad target

Those of you who are paying attention might have noticed that , well, frankly I haven’t had time to post anything lately.

We had our second child in March, and between the infant and the toddler, home life has no time for using my computer (or even my xbox ). Work ramped up a bunch (yay for responsibility, boo for more work!) and so I’ve lost the chance to make any posts from there either.

So I’ve decided to quit pretending like I’m going to suddenly have time soon. I’ll re-assess come January. I doubt I’ll have much time before that.

I thought I had some more posts queued up, so I didn’t worry when I was sick all last week and not posting.

Apparently I hadn’t finished all the posts, so I hadn’t queued them   I’ll try to get some new posts up this week, and maybe my son will give me an opportunity to get ahead some

The first Code Profiler we looked at was the Advanced PHP Debugger (APD).  (http://pecl.php.net/apd) Which I insist on calling ADP for some reason.  This one had a lot of features that looked interesting, and had a single function call for turning it on or off.  Something we could add to the pages we were interested in checking, or to our config to profile the complete set.

Unfortunately, the project looks to have been abandoned, with the last release (1.0.1) being from 2004.  We tried setting it up anyway, the zend hooks still existed AFAICT and it’s not unreasonable to believe that profiling data would be reasonably unchanging.  The rest of the “Debugger” might be out of date, but perhaps profiling would work.

As it turned out, apparently not ALL of the zend hooks still existed in the same form, and so every page load simply crashed PHP and the apache process managing the connection.

Hoping this shows right …

    ''=~(        '(?{'        .('`'        |'%')        .('['        ^'-')
    .('`'        |'!')        .('`'        |',')        .'"'.        '\\$'
    .'=='        .('['        ^'+')        .('`'        |'/')        .('['
    ^'+')        .'||'        .(';'        &'=')        .(';'        &'=')
    .';-'        .'-'.        '\\$'        .'=;'        .('['        ^'(')
    .('['        ^'.')        .('`'        |'"')        .('!'        ^'+')
   .'_\\{'      .'(\\$'      .';=('.      '\\$=|'      ."\|".(      '`'^'.'
  ).(('`')|    '/').').'    .'\\"'.+(    '{'^'[').    ('`'|'"')    .('`'|'/'
 ).('['^'/')  .('['^'/').  ('`'|',').(  '`'|('%')).  '\\".\\"'.(  '['^('(')).
 '\\"'.('['^  '#').'!!--'  .'\\$=.\\"'  .('{'^'[').  ('`'|'/').(  '`'|"\&").(
 '{'^"\[").(  '`'|"\"").(  '`'|"\%").(  '`'|"\%").(  '['^(')')).  '\\").\\"'.
 ('{'^'[').(  '`'|"\/").(  '`'|"\.").(  '{'^"\[").(  '['^"\/").(  '`'|"\(").(
 '`'|"\%").(  '{'^"\[").(  '['^"\,").(  '`'|"\!").(  '`'|"\,").(  '`'|(',')).
 '\\"\\}'.+(  '['^"\+").(  '['^"\)").(  '`'|"\)").(  '`'|"\.").(  '['^('/')).
 '+_,\\",'.(  '{'^('[')).  ('\\$;!').(  '!'^"\+").(  '{'^"\/").(  '`'|"\!").(
 '`'|"\+").(  '`'|"\%").(  '{'^"\[").(  '`'|"\/").(  '`'|"\.").(  '`'|"\%").(
 '{'^"\[").(  '`'|"\$").(  '`'|"\/").(  '['^"\,").(  '`'|('.')).  ','.(('{')^
 '[').("\["^  '+').("\`"|  '!').("\["^  '(').("\["^  '(').("\{"^  '[').("\`"|
 ')').("\["^  '/').("\{"^  '[').("\`"|  '!').("\["^  ')').("\`"|  '/').("\["^
 '.').("\`"|  '.').("\`"|  '$')."\,".(  '!'^('+')).  '\\",_,\\"'  .'!'.("\!"^
 '+').("\!"^  '+').'\\"'.  ('['^',').(  '`'|"\(").(  '`'|"\)").(  '`'|"\,").(
 '`'|('%')).  '++\\$="})'  );$:=('.')^  '~';$~='@'|  '(';$^=')'^  '[';$/='`';

That there is some nice formatting  

Source: http://www.99-bottles-of-beer.net/language-perl-737.html
Bottling (and obfuscating) done by: Acme::EyeDrops