Here is how I managed to get my Kenwood TH-D72A radio working with Pat on Linux using the built-in TNC and the AX.25 mode
Installing Pat
First of all, download and install the latest Pat package from the GitHub project page.
dpkg -i pat_x.y.z_amd64.deb
Then, follow the installation instructions for the AX.25 mode and install the necessary packages:
apt install ax25-tools ax25-apps
along with the systemd script that comes with Pat:
/usr/share/pat/ax25/install-systemd-ax25-unit.bash
Configuration
Once the packages are installed, it's time to configure everything correctly:
- Power cycle the radio.
- Enable TNC in
packet12mode (band A*). - Tune band A to VECTOR
channel 420
(or 421
if you can't reach
VA7EOCon simplex). Put the following in
/etc/ax25/axports(replacingCALLSIGNwith your own callsign):wl2k CALLSIGN 9600 128 4 WinlinkSet
HBAUDto1200in/etc/default/ax25.Download and compile the
tmd710_tncsetupscript mentioned in a comment in/etc/default/ax25:gcc -o tmd710_tncsetup tmd710_tncsetup.cAdd the
tmd710_tncsetupscript in/etc/default/ax25and use these command line parameters (-B 0specifies band A, use-B 1for band B):tmd710_tncsetup -B 0 -S $DEV -b $HBAUD -sStart ax25 driver:
systemctl start ax25.service
Connecting to a winlink gateway
To monitor what is being received and transmitted:
axlisten -cart
Then create aliases like these in ~/.wl2k/config.json:
{
"connect_aliases": {
"ax25-VA7EOC": "ax25://wl2k/VA7EOC-10",
"ax25-VE7LAN": "ax25://wl2k/VE7LAN-10"
},
}
and use them to connect to your preferred Winlink gateways.
Troubleshooting
If it doesn't look like ax25 can talk to the radio (i.e. the TX light
doesn't turn ON), then it's possible that the tmd710_tncsetup script isn't
being run at all, in which case the TNC isn't initialized correctly.
On the other hand, if you can see the radio transmitting but are not seeing
any incoming packets in axlisten then double check that the speed is
set correctly:
HBAUDin/etc/default/ax25should be set to 1200- line speed in
/etc/ax25/axportsshould be set to 9600 SERIAL_SPEEDintmd710_tncsetupshould be set to 9600- radio displays
packet12in the top-left corner, notpacket96
If you can establish a connection, but it's very unreliable, make sure that
you have enabled software flow control (the -s option in
tmd710_tncsetup).
If you can't connect to VA7EOC-10 on UHF, you could also try the VHF BCFM
repeater on Mt Seymour, VE7LAN (VECTOR
channel 65).
As noted on the official Libravatar blog, I will be shutting the service down on 2018-09-01.
It has been an incredible journey but Libravatar has been more-or-less in maintenance mode for 5 years, so it's somewhat outdated in its technological stack and I no longer have much interest in doing the work that's required every two years when migrating to a new version of Debian/Django. The free software community prides itself on transparency and so while it is a difficult decision to make, it's time to be upfront with the users who depend on the project and admit that the project is not sustainable in its current form.
Many things worked well
The most motivating aspect of running Libravatar has been the steady organic
growth within the FOSS community. Both in terms of traffic (in March 2018,
we served a total of 5 GB of images and 12 GB of 302 redirects to
Gravatar), integration with other sites and projects (Fedora, Debian,
Mozilla, Linux kernel, Gitlab, Liberapay and many others), but also in terms
of users:
In addition, I wanted to validate that it is possible to run a FOSS service without having to pay for anything out-of-pocket, so that it would be financially sustainable. Hosting and domain registrations have been entirely funded by the community, thanks to the generosity of sponsors and donors. Most of the donations came through Gittip/Gratipay and Liberapay. While Gratipay has now shut down, I encourage you to support Liberapay.
Finally, I made an effort to host Libravatar on FOSS infrastructure. That meant shying away from popular proprietary services in order to make a point that these convenient and well-known services aren't actually needed to run a successful project.
A few things didn't pan out
On the other hand, there were also a few disappointments.
A lot of the libraries and plugins never implemented DNS federation. That was the key part of the protocol that made Libravatar a decentralized service but unfortunately the rest of the protocol was must easier to implement and therefore many clients stopped there.
In addition, it turns out that while the DNS system is essentially a federated caching system for IP addresses, many DNS resolvers aren't doing a good job caching records and that created unnecessary latency for clients that chose to support DNS federation.
The main disappointment was that very few people stepped up to run mirrors.
I designed the service so that it could scale easily in the same way that
Linux distributions have coped with increasing user bases: "ftp" mirrors. By
making the actual serving of images only require Apache and mod_rewrite, I
had hoped that anybody running Apache would be able to add an extra vhost to
their setup and start serving our static files. A few people did sign up for
this over the years, but it mostly didn't work. Right now, there are no
third-party mirrors online.
The other aspect that was a little disappointing was the lack of code contributions. There were a handful from friends in the first couple of months, but it's otherwise been a one-man project. I suppose that when a service works well for what people use it for, there are less opportunities for contributions (or less desire for it). The fact dev environment setup was not the easiest could definitely be a contributing factor, but I've only ever had a single person ask about it so it's not clear that this was the limiting factor. Also, while our source code repository was hosted on Github and open for pull requests, we never even received a single drive-by contribution, hinting at the fact that Github is not the magic bullet for community contributions that many people think it is.
Finally, it turns out that it is harder to delegate sysadmin work (you need root, for one thing) which consumes the majority of the time in a mature project. The general administration and maintenance of Libravatar has never moved on beyond its core team of one. I don't have a lot of ideas here, but I do want to join others who have flagged this as an area for "future work" in terms of project sustainability.
Personal goals
While I was originally inspired by Evan Prodromou's vision of a suite of FOSS services to replace the proprietary stack that everybody relies on, starting a free software project is an inherently personal endeavour: the shape of the project will be influenced by the personal goals of the founder.
When I started the project in 2011, I had a few goals:
I wanted to get experience with Python, Django, and Bazaar.
I wanted to speak at a Kiwi PyCon which I did, twice, but my Libravatar experience also led to speak at DebConf twice, linux.conf.au and OSCON.
Career-wise, I wanted to move beyond PHP development, which I successfully achieved by working for a new client while I was at Catalyst and then getting hired by Mozilla to work on Persona until it was de-staffed following a Mozilla reorg.
This project personally taught me a lot of different technologies and allowed me to try out various web development techniques I wanted to explore at the time. That was intentional: I chose my technologies so that even if the project was a complete failure, I would still have gotten something out of it.
A few things I've learned
I learned many things along the way, but here are a few that might be useful to other people starting a new free software project:
Speak about your new project at every user group you can. It's important to validate that you can get other people excited about your project. User groups are a great (and cheap) way to kickstart your word of mouth marketing.
When speaking about your project, ask simple things of the attendees (e.g. create an account today, join the IRC channel). Often people want to support you but they can't commit to big tasks. Make sure to take advantage of all of the support you can get, especially early on.
Having your friends join (or lurk on!) an IRC channel means it's vibrant, instead of empty, and there are people around to field simple questions or tell people to wait until you're around. Nobody wants to be alone in a channel with a stranger.
Thank you
I do want to sincerely thank all of the people who contributed to the project over the years:
- Jonathan Harker and Brett Wilkins for productive hack sessions in the Catalyst office.
- Lars Wirzenius, Andy Chilton and Jesse Noller for graciously hosting the service.
- Christian Weiske, Melissa Draper, Thomas Goirand and Kai Hendry for running mirrors on their servers.
- Chris Forbes, fr33domlover, Kang-min Liu and strk for writing and maintaining client libraries.
- The Wellington Perl Mongers for their invaluable feedback on an early prototype.
- The
#equifossgroup for their ongoing suppport and numerous ideas. - Nigel Babu and Melissa Draper for producing the first (and only) project stikers, as well as Chris Cormack for spreading so effectively.
- Adolfo Jayme, Alfredo Hernández, Anthony Harrington, Asier Iturralde Sarasola, Besnik, Beto1917, Daniel Neis, Eduardo Battaglia, Fernando P Silveira, Gabriele Castagneti, Heimen Stoffels, Iñaki Arenaza, Jakob Kramer, Jorge Luis Gomez, Kristina Hoeppner, Laura Arjona Reina, Léo POUGHON, Marc Coll Carrillo, Mehmet Keçeci, Milan Horák, Mitsuhiro Yoshida, Oleg Koptev, Rodrigo Díaz, Simone G, Stanislas Michalak, Volkan Gezer, VPablo, Xuacu Saturio, Yuri Chornoivan, yurchor and zapman for making Libravatar speak so many languages.
I'm sure I have forgotten people who have helped over the years. If your name belongs in here and it's not, please email me or leave a comment.
I recently moved my dynamic DNS hostnames from dyndns.org (now owned by Oracle) to No-IP. In the process, I moved all of my hostnames under a sub-domain that I control in case I ever want to self-host the authoritative DNS server for it.
Creating an account
In order to use my own existing domain, I registered for the Plus Managed
DNS service and provided my top-level
domain (fmarier.org).
Then I created a support ticket to ask for
the sub-domain feature. Without that, No-IP expects you to delegate your
entire domain to them, whereas I only wanted to delegate *.dyn.fmarier.org.
Once that got enabled, I was able to create hostnames like machine.dyn in
the No-IP control panel. Without the sub-domain feature, you can't have dots
in hostnames.
I used a bogus IP address (e.g. 1.2.3.4) for all of the hostnames I
created in order to easily confirm that the client software is working.
DNS setup
On my registrar's side, here are the DNS records I had to add to delegate
anything under dyn.fmarier.org to No-IP:
dyn NS ns1.no-ip.com.
dyn NS ns2.no-ip.com.
dyn NS ns3.no-ip.com.
dyn NS ns4.no-ip.com.
dyn NS ns5.no-ip.com.
Client setup
In order to update its IP address whenever it changes, I installed ddclient on each of my machines:
apt install ddclient
While the ddclient package won't help you configure your No-IP service during installation or enable the web IP lookup method, this can all be done by editing the configuration after the fact.
I put the following in /etc/ddclient.conf:
ssl=yes
protocol=noip
use=web, web=checkip.dyndns.com, web-skip='IP Address'
server=dynupdate.no-ip.com
login=myusername
password='Password1!'
machinename.dyn.fmarier.org
and the following in /etc/default/ddclient:
run_dhclient="false"
run_ipup="false"
run_daemon="true"
daemon_interval="3600"
Then restart the service:
systemctl restart ddclient.service
Note that you do need to change the default update interval or the
checkip.dyndns.com server will ban your IP
address.
Testing
To test that the client software is working, wait 6 minutes (there is an internal check which cancels any client invocations within 5 minutes of another), then run it manually:
ddclient --verbose --debug
The IP for that machine should now be visible on the No-IP control panel and in DNS lookups:
dig +short machinename.dyn.fmarier.org
In order to be able to use the webroot
plugin for
certbot and automatically renew the Let's
Encrypt certificate for libravatar.org, I
had to put together an Apache config that would do the following on port 80:
- Let
/.well-known/acme-challenge/*through on the bare domain (http://libravatar.org/). - Redirect anything else to
https://www.libravatar.org/.
The reason for this is that the main
Libravatar service listens on
www.libravatar.org and not libravatar.org, but that cerbot needs to
ascertain control of the bare domain.
This is the configuration I ended up with:
<VirtualHost *:80>
DocumentRoot /var/www/acme
<Directory /var/www/acme>
Options -Indexes
</Directory>
RewriteEngine on
RewriteCond "/var/www/acme%{REQUEST_URI}" !-f
RewriteRule ^(.*)$ https://www.libravatar.org/ [last,redirect=301]
</VirtualHost>
The trick I used here is to make the redirection RewriteRule conditional
on the requested file (%{REQUEST_URI}) not existing in the /var/www/acme
directory, the one where I tell certbot to drop its temporary files.
Here are the relevant portions of /etc/letsencrypt/renewal/www.libravatar.org.conf:
[renewalparams]
authenticator = webroot
account =
<span class="createlink"><a href="/ikiwiki.cgi?do=create&from=posts%2Fredirecting-entire-site-except-certbot-webroot&page=webroot_map" rel="nofollow">?</a>webroot map</span>
libravatar.org = /var/www/acme
www.libravatar.org = /var/www/acme
Here's how to setup LXC-based "chroots" on Debian stretch. While I wrote about this on Debian jessie, I had to make some networking changes for stretch and so here are the full steps that should work on stretch.
Start by installing (as root) the necessary packages:
apt install lxc libvirt-clients debootstrap
Network setup
I decided to use the default /etc/lxc/default.conf configuration (no
change needed here):
lxc.network.type = veth
lxc.network.link = lxcbr0
lxc.network.flags = up
lxc.network.hwaddr = 00:FF:AA:xx:xx:xx
and enable networking by putting the following in a new /etc/default/lxc-net file:
USE_LXC_BRIDGE="true"
That configuration requires that the veth kernel module be loaded. If
you have any kinds of module-loading restrictions enabled, you probably
need to add the following to /etc/modules and reboot:
veth
Next, I had to make sure that the "guests" could connect to the outside world through the "host":
Enable IPv4 forwarding by putting this in
/etc/sysctl.conf:net.ipv4.ip_forward=1and then applying it using:
sysctl -pRestart the network bridge:
systemctl restart lxc-net.serviceand ensure that it's not blocked by the host firewall, by putting this in
/etc/network/iptables.up.rules:-A FORWARD -d 10.0.3.0/24 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -s 10.0.3.0/24 -j ACCEPT -A INPUT -d 224.0.0.251 -s 10.0.3.1 -j ACCEPT -A INPUT -d 239.255.255.250 -s 10.0.3.1 -j ACCEPT -A INPUT -d 10.0.3.255 -s 10.0.3.1 -j ACCEPT -A INPUT -d 10.0.3.1 -s 10.0.3.0/24 -j ACCEPTand applying the rules using:
iptables-apply
Creating a container
Creating a new container (in /var/lib/lxc/) is simple:
sudo MIRROR=http://httpredir.debian.org/debian lxc-create -n sid64 -t debian -- -r sid -a amd64
You can start or stop it like this:
sudo lxc-start -n sid64
sudo lxc-stop -n sid64
Connecting to a guest using ssh
The ssh server is configured to require pubkey-based authentication for root logins, so you'll need to log into the console:
sudo lxc-stop -n sid64
sudo lxc-start -n sid64 -F
Since the root password is randomly generated, you'll need to reset it before you can login as root:
sudo lxc-attach -n sid64 passwd
Then login as root and install a text editor inside the container because the root image doesn't have one by default:
apt install vim
then paste your public key in /root/.ssh/authorized_keys.
Then you can exit the console (using Ctrl+a q) and ssh into the
container. You can find out what IP address the container received from DHCP
by typing this command:
sudo lxc-ls --fancy
Mounting your home directory inside a container
In order to have my home directory available within the container, I
created a user account for myself inside the container and then added
the following to the container config file (/var/lib/lxc/sid64/config):
lxc.mount.entry=/home/francois home/francois none bind 0 0
before restarting the container:
lxc-stop -n sid64
lxc-start -n sid64
Fixing locale errors
If you see a bunch of errors like these when you start your container:
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LANG = "fr_CA.utf8"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
then log into the container as root and use:
dpkg-reconfigure locales
to enable the same locales as the ones you have configured in the host.
If you see these errors while reconfiguring the locales package:
Generating locales (this might take a while)...
en_US.UTF-8...cannot change mode of new locale archive: No such file or directory
done
fr_CA.UTF-8...cannot change mode of new locale archive: No such file or directory
done
Generation complete.
and see the following dmesg output on the host:
[235350.947808] audit: type=1400 audit(1441664940.224:225): apparmor="DENIED" operation="chmod" info="Failed name lookup - deleted entry" error=-2 profile="/usr/bin/lxc-start" name="/usr/lib/locale/locale-archive.WVNevc" pid=21651 comm="localedef" requested_mask="w" denied_mask="w" fsuid=0 ouid=0
then AppArmor is interfering with the locale-gen binary and the
work-around I found is to temporarily shutdown AppArmor on the host:
lxc-stop -n sid64
systemctl stop apparmor
lxc-start -n sid64
and then start up it later once the locales have been updated:
lxc-stop -n sid64
systemctl start apparmor
lxc-start -n sid64
AppArmor support
If you are running AppArmor, your container probably won't start until you
add the following to the container config (/var/lib/lxc/sid64/config):
lxc.aa_allow_incomplete = 1
WiFi in the 2.4 GHz range is usually fairly congested in urban environments. The 5 GHz band used to be better, but an increasing number of routers now support it and so it has become fairly busy as well. It turns out that there are a number of channels on that band that nobody appears to be using despite being legal in my region.
Why are the middle channels unused?
I'm not entirely sure why these channels are completely empty in my area, but I would speculate that access point manufacturers don't want to deal with the extra complexity of the middle channels. Indeed these channels are not entirely unlicensed. They are also used by weather radars, for example. If you look at the regulatory rules that ship with your OS:
$ iw reg get
global
country CA: DFS-FCC
(2402 - 2472 @ 40), (N/A, 30), (N/A)
(5170 - 5250 @ 80), (N/A, 17), (N/A), AUTO-BW
(5250 - 5330 @ 80), (N/A, 24), (0 ms), DFS, AUTO-BW
(5490 - 5600 @ 80), (N/A, 24), (0 ms), DFS
(5650 - 5730 @ 80), (N/A, 24), (0 ms), DFS
(5735 - 5835 @ 80), (N/A, 30), (N/A)
you will see that these channels are flagged with "DFS". That stands for Dynamic Frequency Selection and it means that WiFi equipment needs to be able to detect when the frequency is used by radars (by detecting their pulses) and automaticaly switch to a different channel for a few minutes.
So an access point needs extra hardware and extra code to avoid interfering with priority users. Additionally, different channels have different bandwidth limits so that's something else to consider if you want to use 40/80 MHz at once.
Using all legal channels in Gargoyle
The first time I tried setting my access point channel to one of the middle 5 GHz channels, the SSID wouldn't show up in scans and the channel was still empty in WiFi Analyzer.
I tried changing the channel again, but this time, I ssh'd into my router and looked at the errors messages using this command:
logread -f
I found a number of errors claiming that these channels were not authorized for the "world" regulatory authority.
Because Gargoyle is based on OpenWRT, there are a lot more wireless configuration options available than what's exposed in the Web UI.
In this case, the solution was to explicitly set my country in the wireless options (where CA is the
country code for Canada, where my
router is physically located).
Then I rebooted and I was able to set the channel successfully via the Web UI.
If you are interested, there is a lot more information about how all of this works in the kernel documentation for the wireless stack.
The Libravatar mirrors are setup using DNS round-robin which makes it a little challenging to automatically provision Let's Encrypt certificates.
In order to be able to use Certbot's
webroot plugin, I need to
be able to simultaneously host a randomly-named file into the webroot of
each mirror. The reason is that the verifier will connect to
seccdn.libravatar.org, but there's no way to know which of the DNS entries
it will hit. I could copy the file over to all of the mirrors, but that
would be annoying since some of the mirrors are run by volunteers and I
don't have direct access to them.
Thankfully, Scott Helme has shared his elegant
solution:
proxy the .well-known/acme-challenge/ directory from all of the mirrors to a single validation host.
Here's the exact configuration I ended up with.
DNS Configuration
In order to serve the certbot validation files separately from the main
service, I created a new hostname, acme.libravatar.org, pointing to the
main Libravatar server:
CNAME acme libravatar.org.
Mirror Configuration
On each mirror, I created a new Apache vhost on port 80 to proxy the acme challenge
files by putting the following in the existing port 443 vhost config
(/etc/apache2/sites-available/libravatar-seccdn.conf):
<VirtualHost *:80>
ServerName __SECCDNSERVERNAME__
ServerAdmin __WEBMASTEREMAIL__
ProxyPass /.well-known/acme-challenge/ http://acme.libravatar.org/.well-known/acme-challenge/
ProxyPassReverse /.well-known/acme-challenge/ http://acme.libravatar.org/.well-known/acme-challenge/
</VirtualHost>
Then I enabled the right modules and restarted Apache:
a2enmod proxy
a2enmod proxy_http
systemctl restart apache2.service
Finally, I added a cronjob in /etc/cron.daily/commit-new-seccdn-cert to
commit the new cert to
etckeeper automatically:
#!/bin/sh
cd /etc/libravatar
/usr/bin/git commit --quiet -m "New seccdn cert" seccdn.crt seccdn.pem seccdn-chain.pem > /dev/null || true
Main Configuration
On the main server, I created a new webroot:
mkdir -p /var/www/acme/.well-known
and a new vhost in /etc/apache2/sites-available/acme.conf:
<VirtualHost *:80>
ServerName acme.libravatar.org
ServerAdmin webmaster@libravatar.org
DocumentRoot /var/www/acme
<Directory /var/www/acme>
Options -Indexes
</Directory>
</VirtualHost>
before enabling it and restarting Apache:
a2ensite acme
systemctl restart apache2.service
Registering a new TLS certificate
With all of this in place, I was able to register the cert easily using the webroot plugin on the main server:
certbot certonly --webroot -w /var/www/acme -d seccdn.libravatar.org
The resulting certificate will then be automatically renewed before it expires.
I wanted to setup a mail service on a staging server that would send all outgoing emails to a local mailbox. This avoids sending emails out to real users when running the staging server using production data.
First, install the postfix mail server:
apt install postfix
and choose the "Local only" mail server configuration type.
Then change the following in /etc/postfix/main.cf:
default_transport = error
to:
default_transport = local:root
and restart postfix:
systemctl restart postfix.service
Once that's done, you can find all of the emails in /var/mail/root.
So you can install mutt:
apt install mutt
and then view the mailbox like this:
mutt -f /var/mail/root
Two months ago, Troy Hunt, the security professional behind Have I been pwned?, released an incredibly comprehensive password list in the hope that it would allow web developers to steer their users away from passwords that have been compromised in past breaches.
While the list released by HIBP is hashed, the plaintext passwords are out there and one should assume that password crackers have access to them. So if you use a password on that list, you can be fairly confident that it's very easy to guess or crack your password.
I wanted to check my active passwords against that list to check whether or not any of them are compromised and should be changed immediately. This meant that I needed to download the list and do these lookups locally since it's not a good idea to send your current passwords to this third-party service.
I put my tool up on Launchpad / PyPI and you are more than welcome to give it a go. Install Postgres and Psycopg2 and then follow the README instructions to setup your database.
In order to easily authenticate with IRC networks such as OFTC and Freenode, it is possible to use client TLS certificates (also known as SSL certificates). In fact, it turns out that it's very easy to setup both on irssi and on znc.
Generate your TLS certificate
On a machine with good entropy, run the following command to create a keypair that will last for 10 years:
openssl req -nodes -newkey rsa:2048 -keyout user.pem -x509 -days 3650 -out user.pem -subj "/CN=<your nick>"
Then extract your key fingerprint using this command:
openssl x509 -sha1 -noout -fingerprint -in user.pem | sed -e 's/^.*=//;s/://g'
Share your fingerprints with NickServ
On each IRC network, do this:
/msg NickServ IDENTIFY Password1!
/msg NickServ CERT ADD <your fingerprint>
in order to add your fingerprint to the access control list.
Configure ZNC
To configure znc, start by putting the key in the right place:
cp user.pem ~/.znc/users/<your nick>/networks/oftc/moddata/cert/
and then enable the built-in cert plugin for
each network in ~/.znc/configs/znc.conf:
<Network oftc>
...
LoadModule = cert
...
</Network>
<Network freenode>
...
LoadModule = cert
...
</Network>
Configure irssi
For irssi, do the same thing but put the cert in ~/.irssi/user.pem and
then change the OFTC entry in ~/.irssi/config to look like this:
{
address = "irc.oftc.net";
chatnet = "OFTC";
port = "6697";
use_tls = "yes";
tls_cert = "~/.irssi/user.pem";
tls_verify = "yes";
autoconnect = "yes";
}
and the Freenode one to look like this:
{
address = "chat.freenode.net";
chatnet = "Freenode";
port = "7000";
use_tls = "yes";
tls_cert = "~/.irssi/user.pem";
tls_verify = "yes";
autoconnect = "yes";
}
That's it. That's all you need to replace password authentication with a much stronger alternative.