Linux bridge forward EAPOL 8021x frames

March 28, 2012 ~ flihp ~ Leave a comment

XenClient is no different from other Xen configurations in that the networking hardware is shared between guests through a bridge hosted in dom0 (or a network driver domain in the case of XenClient XT). For most use cases the standard Linux bridge will route your traffic as expected. We ran into an interesting problem however when a customer doing a pilot on XenClient XT tried to authenticate their guest VMs using EAPOL (8021x auth over ethernet). The bridge gobbled up their packets and we got some pretty strange bug reports as a result.

Just throwing “linux bridge EAPOL 8021x” into a search engine will return a number of hits from various mailing lists where users report similar issues. The fix is literally a one line change that drops a check on the destination MAC address. This check is to ensure compliance with the 8021d standard which requires layer 2 bridges to drop packets from the “bridge filter MAC address group“. Since XenClient is a commercial product and the fix is in code that is responsible for our guest networking (which is pretty important) we wanted to code up a way to selectively enable this feature on a per-bridge basis using a sysfs node. We / I also tested the hell out of it for a few days straight.

The end result is a neat little patch that allows users to selectively pass EAPOL packets from their guests across the layer 2 bridge in dom0 / ndvm and out to their authentication infrastructure. The patch is available opensource just like the kernel and is available on the XenClient source CD. It’s also available here for your convenience 🙂

OE-Core Yocto gcc timeout

March 18, 2012 ~ flihp ~ 2 Comments

I’ve been thrashing around trying to get the upstream OE to build an image for me. Today I finally made a concerted effort over a few hours to dive deep and do this right. It turns out I was using the “old” OE repos when I should have been using the “new” build system from the Yocto Project. Their documentation is excellent but still, my first build failed.

What’s this? The GCC recipe failing because of a network timeout? Oddly enough it actually downloaded some of the sources but not all of ’em.
| svn: REPORT of '/svn/gcc/!svn/vcc/default': Could not read response body: connection was closed by server (http://gcc.gnu.org) NOTE: package gcc-cross-initial-4.6.1+svnr175454-r10: task do_fetch: Failed ERROR: Task 5 (/home/build/poky-edison-6.0/meta/recipes-devtools/gcc/gcc-cross-initial_4.6.bb, do_fetch) failed with exit code '1' ERROR: '/home/build/poky-edison-6.0/meta/recipes-devtools/gcc/gcc-cross-initial_4.6.bb' failed

At this point I just tried again and it failed in the same place but had checked out more of the code. A quick search turns up a similar error is common when checking out code from SVN servers over HTTP. Apache just has a tendency to timeout when checking out large repositories with mod-svn. The suggested fix is to increase the timeout value in your Apache configs … except these configs are on the GNU web servers and we can’t change them.

What we can change though is the protocol bitbake uses when getting the sources. Just change the proto from ‘http’ to ‘svn’ in the SRC_URI in gcc-4.6.inc (found at /meta/recipes-devtools/gcc/gcc-4.6.inc and we’re almost good. It’ll look like this when you’re done.

SRC_URI = "svn://gcc.gnu.org/svn/gcc/branches;module=${BRANCH};proto=svn

It still timed out for me a few times but it ran for much longer than the HTTP protocol option. HTTP timed out after about 10 minutes, SVN made it almost an hour before timing out … You’d think there would be a tarball of these sources mirrored somewhere so we didn’t have to kill the GNU SVN servers on every fresh build. Something to look into I guess. Either way gcc is building now, hopefully I’ll have a build running soon …

UPDATE: With some advice from Scott below I used the poky distro by including: DISTRO="poky" in my local.conf file. As promised bitbake then doesn’t try to check out the gcc svn repository directly from gnu.org. Instead it grabs a tarball from one ob the Yocto mirrors and the build takes mere minutes. Thanks Scott!

LaTeX for your Resume / CV

March 4, 2012 ~ flihp ~ 2 Comments

I’m far from a ninja when it comes to $LaTeX$ but I’m a big fan. I’ve written a bit about formatting logical expressions for past homework exercises. I’ve also used it in blog posts for doing the same. It’s a very useful tool even if you’re just a using basic templates like me.

A major driver behind my work on this website was the desire to get some of my technical work out into the public domain. Around the same time I started blogging I told myself that I should host my resume on this site as an incentive to keep it up to date. I failed pretty miserably there.

But when I took my position with Citrix nearly a year ago I updated my CV and now I’m resolving to keep it that way. It’s never an easy task to drag an old CV into the modern age and mine had been formatted using a very old style called res from RPI. Instead of struggling to keep the style usable on a modern toolchain I took on migrating to the newer tucv from CTAN.

This was a catalyst for all sorts of useful stuff like getting my CV into a git repo and generally refreshing the content. I’ll be putting together an ‘about’ page this site where I’ll host it and make the source available as well.

Till then here’s a quick set of instructions for getting tucv working on Debian Wheezy:
Unfortunately I wasn’t ablt to find tucv in any of the Debian latex / texlive packages. So to get tucv working I had to get the basic latex and texlive packages. Once this was done I had to download the .dtx and ,ins files manually.

Figuring out how to generate a style file from these sources and where to put them was the next trick. A bit of web searching turned up a manual describing how to use LaTeX on Debian:

Just copy these files to /usr/local/share/texmf/tex/latex/tucv.
Compile both files using latex

to generate the package and documentation.

Registering the new style using mktexlsr or texhash.

Then all you have to do is make your resume! Following the examples from the CTAN website is the best way to go. Personally I already had significant amount of content so most of my time was spent playing with layout.

It’s not perfect and I’ll be playing around to see if I can get better spacing in some of the sections that have a two column layout. The right most column is too narrow and forces date ranges on to multiple lines and I’m not a big fan of how that looks.