I just discovered something very cool. As an only occasional coder (Python, mostly, when I get the chance to write code), I don’t have a very good grasp of where all the header files for Mac OS X frameworks live.

Let’s say that you want to know where CGEventSourceSecondsSinceLastEventType is defined. Just hunt for it in Spotlight and it will turn up all the places it shows up in header files.

E.g.

/Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs /iPhoneSimulator3.2.sdk/System/Library/Frameworks/ApplicationServices.framework /Versions/A/Frameworks/CoreGraphics.framework/Versions/A/Headers

Or

/Developer/SDKs/MacOSX10.6.sdk/System/Library/Frameworks /IOKit.framework/Versions/A/Headers/hidsystem

Clicking on the Spotlight results opens the file in Xcode.

Who knew?

Coming up [with] a question is also creation.

In fact, a question that has a huge receptive capacity doesn’t even need a definitive answer.

The very essence of a question is its power to elicit the possibilities or reply, to trigger a variety of thoughts.

Questioning is emptiness.

The total quantity of thoughts triggered by questioning is what matters most.

I entreat you not to produce more but to think more.

I believe that the richness of that thinking may very well be the critical resources to giving this world a future.

– Kenya Hara at Google

Found via Core77

Aug  6 12:33:25 example sshd[7296]: in pam_sm_authenticate(): Failed to determine Kerberos principal name
Aug  6 12:33:29 example sshd[7294]: error: PAM: authentication error for user from example.com via 192.168.0.1
Aug  6 12:33:29 example sshd[7297]: in pam_sm_authenticate(): Failed to determine Kerberos principal name.
Aug  6 12:33:32 example sshd[7294]: error: PAM: user account has expired for user from example.com via 192.168.0.1

Then don’t do what I did. After googling to no avail, I went so far as to completely reinstall Mac OS X. No good.

[Update: Actually, what I did was clone a different system that I had recently set up and used it as the "new installation". Had I done a total, from DVD reinstallation, it would have fixed the problem but I wouldn't have discovered the cause.]

The answer? Make sure you didn’t set the Remote Login preferences in System Preferences/Sharing to “Only these users” and then forget to add the new user to the list!

D’oh.

Hopefully this will help the next person who’s looking for the answer.

Initially it was a bust. I hooked it up to a monitor, turned it on, and it booted to a text login prompt. No nice multi-media GUI, nothing. Just login:

Googling around was no help. I couldn’t figure out how to make it start X Windows or anything. The OS that’s on there is called Red Flag Linux. It seemed to have everything it needed, but I don’t have enough Xorg fu to understand how it was supposed to figure out how to configure itself for the monitor I had.

It turns out that was a blessing in disguise. After a little more Googling, I found myself making a bootable USB stick with Ubuntu 9.10 on it. I wound up using the “From Linux” instructions from another Ubuntu box. I debated whether or not to use the netbook distro or the full desktop one. I picked the full one. It turned out to be the right choice.

I did mess with the B202′s BIOS a bit to figure out how to make it boot from the USB stick. I’m not sure whether any of that was strictly necessary, but I had changed a few things to try to get the original software running.

After that it was smooth sailing. Ubuntu booted right up, running from the USB stick. It helpfully presented the option of installing from the stick. Once I made sure it would be able to work with the ethernet and WiFi, I used the installer to reformat the drive and install Ubuntu.

Things went so well, I’m ordering another one. The first one’s going to run our projector. The next one’s going to act as a WiFi to ethernet connection sharing router.

This was my first experience with a LiveCD/LiveUSB/etc. linux. It’s probably unremarkable these days, but I’m impressed with how easy it was to do.

Update: I just got my 2nd Eee Box. This one came with Windows XP pre-installed. Here are the steps needed to install Ubuntu:

1. When it boots into ExpressGate, click the Exit icon, then hold down DEL to get into the BIOS setup
2. In BIOS->Tools: Disable ExpressGate, then hit ESC to exit
3. In BIOS->Boot->Hard Drives: hit + to make 1st drive = USB:SMI USB Disk
4. Plug in your Ubuntu USB stick
5. Hit F10 to save and exit

Now it will boot from the USB stick. At this point you can either boot into Ubuntu w/o installing (i.e. run from the stick) or install Ubuntu. If you’re unsure whether you want to go through with this before you try, then choose the first option. Note that it takes a longish time to boot from the stick.

Once it boots, you’ll see an icon in the upper left corner labeled “Install Ubuntu 9.10″. Double-click that to do an installation.

In addition to figuring out how to deal with denyhosts, here’s how to set up Apache and Mailman log rotation.

I’m running standard Apache 2.2 that comes with Mac OS X 10.6. I like to keep all my virtual hosts in one place, so in this example they are all in /Users/web/. Each host gets a directory structure with it’s own name:

# ls -l www.example.org/
drwxrwxr-x   4 _unknown  _unknown   136 Jan 27 16:47 htdocs
drwxrwxr-x  80 _www      _www      2720 Mar 29 00:33 logs
-rw-r--r--   1 adoyle    web       1881 Feb 20 15:44 www.example.org.conf

The logs for each virtual host go into the logs directory for that host (access_log, error_log, rewrite_log). Ownership on the log files turns out to be important. I’ve found it works best for me if they are owned by the www user and group (or _www, they are essentially the same – something I need to understand the reason for someday).

In /etc/newsyslog.d/local.conf, the following lines deal with rotating logs for three virtual hosts. Using the ‘G’ flag lets you use ‘*’ and other shell wildcards in the file names. I think I could probably have collapsed these into a single line if I had used /Users/web/*/logs/*log instead. In this case, folding things up too much makes it less readable, I think.

The _www:_www takes care of preserving the file ownership after the logs are rotated. A count of 30 means keep around up to 30 old logs. $D0 means rotate daily at 0:00. The ‘B’ flag prevents the “Log file was rotated” message. Apache keeps a pidfile in /var/run/httpd.pid. If you send a kill -30 to the pid in that file, it will cause the equivalent of an ‘apachectl graceful’.

If you don’t provide the pidfile and proper signal number, the logs will rotate, new log files get created, but Apache won’t write to them because it’s still trying to write to the old ones.

# logfilename          [owner:group]            mode count  size  when   flags [/pid_file] [sig_num]
/Users/web/lists.example.org/logs/*log _www:_www 664   30     *    $D0     GBJ /var/run/httpd.pid 30
/Users/web/foo.example.org/logs/*log   _www:_www 664   30     *    $D0     GBJ /var/run/httpd.pid 30
/Users/web/www.example.org/logs/*log   _www:_www 664   30     *    $D0     GBJ /var/run/httpd.pid 30
#

With Mailman I had a slight problem. Mailman doesn’t use nice .log or _log names. It just uses names like bounce, error, post, qrunner, etc. I could have made an entry in the local.conf file for each one, but that seemed error-prone. What if later there’s a new version of Mailman that generates different log files?

My initial assumption was that I could use …/logs/* and newsyslog wouldn’t try to rotate logs it had already rotated. Guess again. After two days, my disk had nearly filled up with files ending in .bz2, .bz2.bz2, .bz2.bz2.b2z…, you get the picture. Luckily I noticed it before the disk did fill up. I got suspicious when my backups on the third day were 15GB bigger than the ones on the first day. I have no idea how many files actually got created. ‘ls’ was unable to produce a listing in the amount of time I was willing to wait. Luckily rm -rf did work. It took several hours to delete all the files.

I’m assuming newsyslog had gotten into a recursive loop right away when it ran at midnight and never stopped churning out files until I killed it.

So anyway, the moral of the story is, if you’re going to use wildcards, make sure they don’t match the rotated logs.

# logfilename          [owner:group]            mode count  size  when  flags [/pid_file] [sig_num]
/Users/mailman/logs/*[a-z]         mailman:_www 664   30     *    $D0     GBJ /Users/mailman/data/master-qrunner.pid 1
#

Mailman wants to be hit with a kill -1, so that’s what I used.

Things have been noodling along for a few weeks with my setup, so I think I have the kinks ironed out.

I had three goals – get denyhosts working, get it to start automatically at boot time, and to deal with rotating the logs.

1. Installation
Easiest first – installing denyhosts. Note that you need to be root to do this. Pretty much just follow the directions. These are the three main settings to worry about.

SECURE_LOG = /private/var/log/secure.log
LOCK_FILE = /var/run/denyhosts.pid
DAEMON_LOG = /var/log/denyhosts

Note that you also may need to create the file /etc/hosts.deny:

touch /etc/hosts.deny

Using touch will create a zero-length file if it’s not there. It won’t affect the contents if it is there.

2. Log rotation

Mac OS 10.6 uses newsyslog to rotate some log files (I’m not sure why, but apache logs don’t seem to be dealt with by newsyslog). To add your own to the mix, just put a file into /etc/newsyslog.d/ following the format for newsyslog.conf(5). I called mine local.conf

# logfilename          [owner:group]            mode count size when  flags [/pid_file] [sig_num]
/var/log/denyhosts                              640   5     *    $D0     J
#

The trouble is, this rotated the log just fine, but then denyhosts stopped logging because newsyslog essentially pulls the rug out from under denyhosts by moving the file.

One design difference between newsyslog and logrotate is the way they deal with notifying processes that logs have been rotated. Logrotate uses prerotate and postrotate scripts, which would be ideal for denyhosts. The way you start and stop it is with

daemon-control start
 
daemon-control stop

daemon-control stop actually sends a SIGTERM to the denyhosts process, but that won’t do any good in the newsyslog config file since once stopped, you need a command line to start it up again. So I decided to tweak the daemon-control script to do this. I replaced the start() function with the one here:

def start(*args):
    cmd = "%s --daemon " % DENYHOSTS_BIN
    if args: cmd += ' '.join(args)
 
    print "starting DenyHosts:   ", cmd
 
    while True:
        os.system(cmd)
        time.sleep(5)
 
        while True:
            pid = getpid()
            if pid >= 0:
                time.sleep(300)
            else:
                break

This just keeps daemon-control running rather than letting it exit after it starts denyhosts. The outer loop starts denyhosts running and later restarts it. The inner loop just waits until it sees the pid file go away. That’s a sure sign that denyhosts stopped running, most likely because of the SIGHUP it will get from newsyslog. Now all I needed to do was add the signal info to my /etc/denyhosts.d/local.conf /etc/newsyslog.d/local.conf file:

# logfilename          [owner:group]            mode count size when  flags [/pid_file] [sig_num]
/var/log/denyhosts                              640   30     *  $D0     BJ  /var/run/denyhosts.pid 15
#

I’ve also changed it to keep 30 days of logs, and added the B flag to prevent newsyslog from adding a line to the file saying it’s rotated the logs. Note that I changed the name to daemon-control2 so if I update denyhosts later, my changes don’t get clobbered.

3. Start at boot time

It turns out that modifying daemon-control to never exit is also just the ticket for running it under launchd. Launchd doesn’t work well on scripts that launch daemonized processes. It watches the script and notices that it’s exited, then tries to start it again.

I made a file called /Library/LaunchDaemons/net.hosts.deny.plist:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>Label</key>
    <string>net.denyhosts</string>
    <key>ProgramArguments</key>
    <array>
      <string>/usr/share/denyhosts/daemon-control2</string>
      <string>start</string>
    </array>
    <key>RunAtLoad</key>
    <true/>
    <key>KeepAlive</key>
    <true/>
    <key>ServiceDescription</key>
    <string>Lauch denyhosts</string>
  </dict>
</plist>

Get it started with launchctl:

 launchctl load /Library/LaunchDaemons/net.hosts.deny.plist

My /etc/hosts.deny has about 8500 hosts in it right now. Many of those are probably from the denyhosts synchronization feature pulling in IP addresses from the central server.

Update 2010-03-26: Added some links and clarified some bits.

Update 2010-06-06: Note that /etc/hosts.deny must be present. denyhosts won’t create it.

My overall impression is that it’s slower than the beta and slower than Safari 3. But that’s gut feel, not with hard data. The “loading” bar is also far less obvious now, and I always find myself wondering whether Safari has stopped working because it takes a while to even start showing activity.

Before I ever install any updates on a server, I clone the disk with SuperDuper or CCC. That means I also have to first shut down all the services and pull the system off the net, clone the disk, boot the clone to make sure it’s ok, boot the normal disk, do the update, and test everything. Coupled with having to move the computers, 5 disk drives, and a D-Link switch, I didn’t have a fun few hours this morning.  I didn’t update the Leopard Server machine because I couldn’t get the alternate disk to boot. It turns out that the Iomega portable drive I was using (I love these little disks!) wasn’t getting enough power from the G5′s front connector and needed to be plugged in the back. By the time I figured that out, it was too late, the museum staff people were coming in and I had to have the server running again. So I’ll have to do the update another day.

Now one of the remote users on the updated Mini is having trouble getting in via ssh. So is it due to the move, the upgrade, or something completely unrelated? Having tried a bunch of things and looked at the log files, I’m leaning towards “something else”.

The one good thing that comes from this kind of thing is that you learn whether all the services are properly set up to start at boot time.

Namely. It’s a free application launcher for Mac OS X 10.5. I used to use MenuStrip in 10.4 but really only used it for the Quick Launcher feature. When I upgraded to 10.5, I found Namely, which does just one thing. You set a hot-key combination that lets you pop open the Namely window. Then type in a few letters of the application you want to launch, and hit enter. I find myself using the dock less and less these days.

Fluid. Another Mac OS X 10.5 only application. It lets you build a “site specific browser” i.e. a separate application out of a browser window. I’ve wrapped my Google Calendar in Fluid and just keep it running all the time.

VoodooPad Pro. I use it for two things. I have one document to keep track of stuff I’m doing. I have another that I lock with a password to keep track of all my passwords. I haven’t done any scripting with its built-in Lua script engine, but I keep meaning to…

FlySketch. I use this for screen grabs all the time. One great use is to capture those web receipts you get when you buy something or pay for something. I grab them with FlySketch and put them into VoodooPad Pro.

Li’l Snitch. A great little app that lets me know what’s happening on my net connection.