Category: Uncategorised

I save up some useful link on this topic a long long while back: https://truongan.name.vn/automated-deploying-using-git/ but never got around to finish the story. My situation is: I have this web application project that I collaborated with some colleague. We have one repository  hosting on our team server.  I want to use that same server to host our web application, both the development and production branch of it (on different domains).

Now whenever we made change to the code base, I want those change to be automatically deploy on the server with a simple git push. At first we simply make the repository working tree available to apache and consider it done. However as the code base grew bigger the deployment process require more change. Both our team have [code].env[/code] file with system specific settings like file path, database configuration, v.v.. that is not portable and the server has its own settings as well. Those files must be ignore by git and left alone by the deployment process.

So I googled around to see how’s others doing their deployment, and landed on this page: http://gitolite.com/deploy.html,  It laid out 4 rules of deployment:

1. All files in the branch being deployed should be copied to the deployment directory.
2. Files that were deleted in the git repo since the last deployment should get deleted from the deployment directory.
3. Any changes to tracked files in the deployment directory after the last deployment should be ignored when following rules 1 and 2. However, sometimes you might want to detect such changes and abort if you found any.
4. Untracked files in the deploy directory should be left alone

Rule 1 and 3 is pretty much overlap each other and it’s easy to achieve. The most important rule for me is rule 2 and 4. So I follow his method and make some improvisation of my own.
First step is create a hook in the repository.

 cd myrepo.git/hooks
 vim post-receive

Now if you have a bare repo, you will file the director name hooks inside it. If your repo directory contain a Working tree, it will have a directory named .git (this folder is hidden by default on Unix-like OS) the hooks directory will reside there.

Now the this post-receive script will run after some one push into the repository and do all the heavy lifting in deployment. This script should be modified to best suit each need, there is no single-work-for-all formula here.

My hooks look like this:

#!/bin/sh

WORK_TREE="../public_html"
GIT_DIR="./checkup.git"

echo "-------- DEPLOYING HEAD ----------"
git --work-tree=$WORK_TREE --git-dir=$GIT_DIR checkout -f

This script is simple and it work fine for many simple project. At the first time deployment I still have to do stuff like populate the config file, set up database, etc… but afterward a simple git push will be enough to update the live project.

First of all is why random password?

Traditionally, I only use random password on really important website when I really need a super strong password. On most cases I use easy to remember password. I have a small pool of passwords that are strong but also easy to remember for me, I use those passwords on many sites.

But then the news of some massive data breach at may top sites panic me. Even top site like Linkedin, Dropbox, etc have suffered from data breach. This make the password I use on those website at risk. Even thought these site are well designed and stored my password in hash encryption. People will eventually brute-force their way through those hashing algorithm and that put many sites which share the same password at risk. So I was left with no other choice than to change password of any website I have used.

Therefore I decided to use randomly generate password now on. This have two advantage:One, I will have a strong password for every site, not necessary in some cases but it doesn’t hurt either. Two, I will have unique password for each website so in case one of them got data breach, the damage is contained. In order to do that, I will require two things: An easy to use, and quick to access password generator and A browser that can save password and sync them among devices.

About the password generator

You can find password generator anywhere on the web nowadays. However I need something simple, lightweight and no nonsense. So a little googling around show me pwmake, which belongs to libpwquality, a dependency of cryptsetup, gnome-disk-utility:

So If you have  ubuntu or any gnome installation, chances are you already have pwmake and no installation is require, which is great. The only argument pwmake require is the number of entropy bits it will take. Normally the number of entropy bits only matter if you’re generating tons of password at the same time. Those bit will make sure those tons of password are truly random and doesn’t form a pattern. But since I only generate 1 password at a time. Any amount of entropy bits would do, even zero is good.

Since I always have a terminal window hovering in the corner, poping it up, type that command quickly and copy the generated password is no hassle. Genrated password is always 8 characters or more, with lower case letters, upper case letters and number or symbol mixed in. That’s good enough for most website. If I need longer password, I can throw in more entropy bits.

And for the password manager.

When you use randomly generated password, you won’t be able remember to them.  There’s no way that you can remember a set of long, randomly generated, case sensitive strings with symbols and numbers mixed into them, it’s just impossible. Even if you remember them, typing them is a real pain and typing them on all the  devices you own, like a smartphone, it’s extremely painful. Luckily every major browser nowadays can remember password, autofill them when needed and sync them across devices. It’s god sent relief.

Now there would be some a lot of dedicated password manager software there but at time goes by, browser’s built-in password manager is the best choice in my opinion. First, the stand alone password manager is not well integrated, they may not autofill the password correctly. In most cases you will end up having to install a browser extension just so the stand alone pass manager can work. Second, stand alone may not be available on all your platform and devices, browser like firefox for chrome is very well supported on almost all platform. And the builtin password manager has grown a lot nowadays.

To start using the browser password manager just press save password whenever your suppose ask you to, it’s simple as that. If you need more security consider setting a master password, more on that later.

And finally, either firefox or chrome support password syncing over all of your devices. All you need is  an email, when you start firefox for the first time you will be prompted to create a firefox account. If you missed this screen, you can access it again via the sign-in to sync option

 

An interesting thing I notice as a long time firefox user is that firefox have to password syncing mechanism: https://blog.mozilla.org/services/2014/04/30/firefox-syncs-new-security-model/

Ideally one won’t want his/hers password to be store in plain sight on some server, a data breaching in that server would be disastrous. So all password syncing service encrypt the password before sending them to server, which is fair enough consider that modern encryption algorithm is pretty strong. However, when those encrypted password is transfer from the syncing server to your new devices, they will require a decryption key.

Now, it would be easier for users if the Firefox account password was also the decryption key. That way when you login to download your synced information, you can also decrypt it without a need for additional password. But that would mean if your firefox account password was compromised, people can get all of your password in one place, JACKPOT. So in the early days, firefox want to ensure the maximum security by separatint the account password and the decryption key. Instead, after you login from a new device, you can download the  synced information but cannot read it. You will have to do the pairing, a special operation that allow one of your old device to securely transfer the decryption key to your new device. And this pairing process is HIDEOUS. So they later change their mind and went back to the normal way.

As for the master password. It’s meant to protect your data in case someone on  got a hold of your device. Now I won’t worry much about data safety when my device got stolen, I have full disk encryption for that. The problem is when someone ask to use your device and you can’t refuse. When you set the master password, browser will encrypt all of your sensitive information. The master password is not saved on your computer, browser will ask you when it need access your data and remember this password for one session only. If someone ask to borrow device, you can simply quit your browser, easy like that.

 

Every time I commute to work, some of my tech have to go with me. I often travel light so besides my laptop and it’s charger, there’s not much stuff but they are small and tend to tangle up at the bottom of my bag.

Below you can see some of my normal on-the-move stuff: My bluetooth mouse, my phone’s earbuds, the dell’s universal adapter to connect my laptop with the old projector at work, micro-usb cable to charge my phone, retractable Ethernet cable and an adapter for the laptop’s power plug.

After a long while having them jingling in my bag, I finally decide to step up and be more organized with them. First it will take an old gift box. I don’t even remembered what gift was in that box, but I just have a habit to kill nice box. Still, All those years with its ribbon ripped off and being left to collect dust have but a toll on the classy box

Now it’s time to add some divider in the box. I don’t have any paperboard at hand so I decide to finally put some old  CD drivers (who neec CD drivers nowadays) to rest and reduce  them to some plastic board. It was hard to cut up CD using small scissor but I finally got it done, throwing in some more duct tape, meassurment and adjustment I got this:

You can clearly see the hole of the CD divider, now it’s time to put the stuff back in the box. And viola:

 

My Arch Linux laptop has jut got updated to Gnome 3.20 and the first thing I notice is that palm detection and disable touchpad while typing will not work.
It’s very annoying because I have quite large hand and while I rest my hand on the laptop to type, it will inevitably touch that touchpad, cause it to register a click and unwanted result happened. And so I investigate.
At first I tried gpointing-device-settings, it still work. synclient and syndaemon still work as well, so the touchpad and synaptic driver still work. The problem is from Gnome 3.20.
Quick googling around reveal that Gnome 3.20 has dropped synaptic in favor of libinput, and so I quickly remove xf86-input-synaptics and xf86-input-libinput and everyting was restore back to normal. But still I would have to stay on a look out since libinput is new and I have never used it before while synaptics has been around for a long time and widely support.

It’s has been like that recently. I didn’t notice at first until Mom told me that a password require message pop up every time she plugs in the usb drive.

After googling around I narrow that problem  down to udisks (the one make the mounting process) and polkit  (the authorization mechanism). In ideal situation udisks would ask polkit to elevate its permission so that it can run just the mounting, but somehow it stuck in my case and polkit require root password to be provided before it can elevate permission.

Small and hideous problems like this one sometime pop up and in rolling release system and most of the time they will be gone  after a few rounds of updating. But it has been months and with no update for either udisks or polkit insight, I will have to investigate.

It turns out that polkit allow user to write custom rule in JavaScript syntax to customize how an action can be authorized. It has a very detail guide about how to do that in man page man 8 polkit And relate to the mounting problem back in 2012, people tend to add this line of code in /etc/polkit-1/rules.d/10-mounting.rules

polkit.addRule (function (action, subject) {
    if (action.id == 'org.freedesktop.udisks2.filesystem-mount-system' && subject.isInGroup('users'))
        return polkit.Result.YES;
});

And it turned out that I’ve already got this  code in place since some good old time. Damn! They clearly failed to work now. A bit more of googling lead me to udisks Authorization checks reference page and with some basic coding tweaking, I got this:

polkit.addRule(
function(action, subject) {
//        polkit.log(action);
//        polkit.log(subject);
if (action.id.indexOf("org.freedesktop.udisks2") > -1
&& action.lookup("drive.removable")
//            && subject.isInGroup("storage")
) {
return polkit.Result.YES;
}
}
);

 

 
The new and “enhanced” code will authroize every udisk action as long as the drive in question is removable and it works like charm for usb, taking care of not only the mounting but unmounting as well. However it fails miserably for hot swap HDD.

So I guess I will have to accept some mask package of later version of polkit and udisks to see if the problem was already fixed because it’s sure don’t have to be that hard on the more bleeding edge archlinux.

Appendicitis! 3 năm trước mình vào viện vì nghi viêm ruột thừa nhưng cuối cùng không kết luận được http://truongan.name.vn/?p=729, năm nay lại thế, lại về nhà theo dõi :v

firefox gimp libreoffice conky codeblocks ibus-unikey zsh dropbox g++ git skype vim sudo

I  ran into this weird problem when trying to get my sharif-judge fork running in laravel Homestead. Well it ran fine but when it invoke g++ to compile stuff I ended up with error

g++: error trying to exec 'cc1plus': execvp: No such file or directory

The weirdest thing is that I can run g++ just fine from command line, error only arise when invoke g++ with shell_exec. A small test.php file with single line:

echo shell_exec("g++ code.cpp -fno-asm -Dasm=error -lm -O2 -w >/dev/null 2>error");

has confirmed the problem.

2016 update: A fix has been found

A quick google around reveal many individual with similar problem but few answer and none successfully address the problem. When messing around I found that there was nothing wrong with my PHP settings, it turn out to be a environment problem. So I do a quick printenv to get a list of every variable that was set when I invoke g++ from command line and compare it to the output whenn invoke by php-fpm. Then it was time to call putenv PHP function to set each of those variables.

It turned out that the $PATH variable have to be set in order for g++ to execute, so putting

putenv('PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games');

before calling shell_exec easily fix the problem