First experience with Ubuntu Touch

For the past few weeks I’ve been using a nexus 4 running ubuntu touch as, mostly, my daily driver. I’ve enjoyed it quite a bit. In part that’s just the awesome size of the nexus 4. In part, it’s the ubuntu touch interface itself. If you haven’t tried it, you really should. (Sailfish ambiances are so much prettier, but ubuntu touch is much nicer to use – the quick switch to switch between two apps, for instance. Would that I could have both.). And in part it’s just the fact that it really feels like – is – a regular ubuntu system.

There have been a few problems. The biggest has been to do with email. I need a phone to do only a few things well – texts, calls, and imap email. The only imap mailer available by default, dekko2, looks very nice and is promising, but was simply not yet reliable for me. It would simply stop getting updates for hours, with no warning, for instance. So I’ve taken to using an ubuntu-push notification system for email notifications, and mutt and offlineimap in a libertine container for reading and sending. The notification system is based on https://forums.ubports.com/topic/3126/facebook-messenger-push-notifications/2 and the python mailbox library. It runs on my mail server, checks for new mail, and, if there is any, sends a push notification to my phone. The code I’m using is here on launchpad and here on github. It can certainly stand to be made a bit smarter (the seenmsgs list should be pruned, for instance, and maildir and mh folder support should be trivial to add for those cool cats who use those). Using this service instead of having the phone try to check for emails not only ends up being very reliable, but also saves a lot of battery life.

All in all this could definately work as my permanent new phone! Now if I could just get my hands on a pinephone or librem 5. The nexus 4 hardware is great, but it would be awesome being able to run an uptodate, upstream kernel. More than that – now that my experiment has succeeded, I probably need to stop, because running the ancient kernel simply is not as safe as I’d like. But I digress.

A huge thanks to Mark and the original touch team for creating it, and to the ubports team for keeping it going.

Nice job, everyone!

Posted in Uncategorized | 3 Comments

Running your own mail server

Motivation

Not too long ago there was some hubub around https://myaccount.google.com/purchases. In brief, if you use google mail, it tracks your purchases through receipts received in email. Now, some people see this as no big deal or even a feature. Others see it as a privacy invasion, and are reminded that all their data can be mined by the email provider and possibly third parties. Of those, some advoate getting a paid email provider. Agreed, that provides less incentive to monetize your data… but only a bit. Eventually, any company, however good its initial intentions, goes through leadership changes, is bought out, or goes bankrupt. At that point, your data is one of the assets being bargained with.

The other alternative, of course, is to run your own mail server. I won’t lie – this is not for everyone. But it’s not as bad as some make out. I recently reinstalled mine, so I wrote down the steps I took, and will leave them here. I’ve been holding onto this for at least 6 months hoping to eventually run through them again to work out some of the finer details. That hasn’t happened yet, so I’ll just post what I have now as a start.

Running your own mail server is not free. In particular, you’ll need to pay for a domain name ($10-15/year), and some place to run the mail server. If you have an always-on machine at home, and stable IP address, then you can run it there. You can pay for a tiny cloud instance on amazon/rackspace/digitalocean/etc. There are cheaper options (including “one year free” amazon micro instances), but a small digitalocean instance will be $5/month. Personally, I keep a large server online for running many VMs and containers, and run the mail server there.

You will also need a certificate. That’s now easy and free with letsencrypt.

There are also some non-monetary costs. You may get a bit more spam. And once in awhile, you may run into a case where your mail server is being rejected by another.

On the other hand, the server is entirely yours. You can create as many accounts for individual purposes as you like. You can point multiple domain names at it, so that you don’t give away your primary one for every little purchase you make. Ten, twenty years from now, you can still have all your friends’ and family emails in the same place, in the same format. This last one is too often overlooked, yet one of the best advantages of open source for all applications.

Setup

I picked up a new hosted server, and installed Ubuntu 18.04 on it. First thing I did was go to my dns provider and register a name for it, and set up the new mx record to point to it. The details of this vary a bit depending on your dns provider, so I won’t go into detail here (I’ll do a post if people ask for clarification). If you’re looking for a provider, I do recommend zoneedit.

I installed lxc and created a new container in which to run my mailserver:

apt-get -y install lxc1
lxc-create -t download -n mail -- -d ubuntu -r bionic -a amd64

I gave it a static ip address through dnsmasq:

echo "dhcp-host=mail,10.0.5.155" >> /etc/lxc/dnsmasq.conf
echo "LXC_DHCP_CONFILE=/etc/lxc/dnsmasq.conf" >> /etc/default/lxc-net
sudo systemctl stop lxc-net
sudo systemctl start lxc-net

The point of the static ip address is to facilitate forwarding mail related ports into the container. I did this with a script started at boot by systemd:

cat > /usr/bin/container-ports-fwd << EOF
nic=enp0s31f6
iptables -t nat -A PREROUTING -p tcp -i ${nic} --dport 25 -j DNAT --to-destination 10.0.5.155:25
iptables -t nat -A PREROUTING -p tcp -i ${nic} --dport 465 -j DNAT --to-destination 10.0.5.155:465
iptables -t nat -A PREROUTING -p tcp -i ${nic} --dport 993 -j DNAT --to-destination 10.0.5.155:993
iptables -t nat -A PREROUTING -p tcp -i ${nic} --dport 587 -j DNAT --to-destination 10.0.5.155:587
EOF
chmod 755 /usr/bin/container-ports-fwd
cat > /etc/systemd/system/container-ports-forward.service << EOF
[Unit]
Description=Bring up port forwards for lxc
After=lxc-net.target
Before=lxc.service

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/bin/container-ports-fwd

[Install]
WantedBy=multi-user.target
EOF

systemctl daemon-reload
systemctl enable container-ports-fwd
systemctl start container-ports-fwd

I also installed and ran letsencrypt on the host:

sudo apt -y install letsencrypt
letsencrypt -d mail.example.org -m me@my.mail certonly

Next I started up the container and installed the basic mail tools:

sudo lxc-start -n mail
sudo lxc-attach -n mail apt -y install dovecot-imapd postfix mutt

New since my last mail server install is the removal of dovecot-postfix in favor of the mail-stack-delivery package:

sudo lxc-attach -n mail apt -y install mail-stack-delivery

After this I copied the letsencrypt keys into the container

lxc-attach -n mail -- mkdir -p /etc/letsencrypt/live/mail.example.org
cp /etc/letsencrypt/live/mail.example.org/* /var/lib/lxc/mail/rootfs//etc/letsencrypt/live/mail.example.org

and edited
/etc/postfix/main.cf and /etc/dovecot/conf.d/10-ssl.conf to point to those using these lines:

smtpd_tls_cert_file = /etc/letsencrypt/live/mail.example.org/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.example.org/privkey.pem

This is enough to be able to send and receive mail. Personally, I want to run this server in a uid-mapped container and from a luks-encrypted device. While you can setup the whole container that way from the start, for simplicity of examples, you could at this point copy over and uid-shift the container contents to a new device, and update the container configuration accordingly.

Some notes which I should elaborate on later:

    • SPF

    • postscreen setup
    • /etc/postfix/master.cf, i.e. uncomment smtps
    • /etc/dovecot/conf.d details
  • Posted in Uncategorized | 2 Comments

    My phone’s not dumb, it just looks it.

    Well actually it is a little.

    For my money, the height of the smartphone age was 2009-2011. That brought us the Nokia n900 and Nokia n9. Both brilliant for their own reasons. There were devices before that which I’d be happy to have back. But nothing since then. Sure, the Ubuntu Edge or Neo900 would have been great. But they never came to be.

    So my current phone is chosen to match my lifestyle: A rugged Sonim XP5 . It runs Android. Without the full store, but you can sideload apps. It has no touchscreen, and only a numeric keypad. But it’s still pretty decent for one-handed operation. It does what I want out of a phone:

    • Calls
    • SMS
    • Email (with hacked K-9 Mail version)
    • Alarms and timer.
    • Flashlight, on/off with one button, no going through gui.
    • Browser. Just useful enough to look up a business, see its hours, and call.
    • Hotspot for laptop for anything more serious.
    • Waterproof (wash it under running water)
    • Rugged
    • 3 or more days battery life.
    • FM radio

    Addendum

    I wrote this some time ago but hadn’t posted it. Very lately I’ve actually been playing with sailfish. I really like the interface, but it’s not very reliable. I’m considering trying out ubuntu touch. I don’t really want to buy another phone (nexus 5), and ubuntu touch is known to not be working fully on my secondary phone, but I should be able to help with that, especially as there is mention of not attaching to LXC containers *duck*. Just have to decide I’m willing to remove sailfish.

    Posted in Uncategorized | 2 Comments

    Unprivileged container builds using stacker

    One of the primary goals of user namespaces was to provide the ability for unprivileged users to have their own range of uids over which they would have privilege, with minimal need for setuid programs and no risk (barring bugs in the OS) of their privilege having effect on uids which are not “their own”.

    We’ve had user namespaces for awhile now. While there are some actions which cannot be done in a user namespace, such as mounting a loopback filesystem, there are many things, such as setting up a build environment with custom package installs, which used to be a challenge without privilege but are now simple.

    My friend Tycho wrote stacker stacker as a tool for building OCI images. A few of its features include:

    • Creates OCI images.
    • Can also be used for general software building.
    • Supports layer re-use between build stages to minimize redundant I/O and time.
    • Supports unprivileged use!

    To show how to use stacker for unprivileged builds, I created a little demo readme. You can see it in the README.md at my stacker-demo github repo.

    Posted in Uncategorized | Leave a comment

    Outdoors laptop (part 2)

    Some time ago I posted about wanting an outdoor laptop. The first option I listed was a panasonic toughbook. Recently (a year and a half later) I finally ordered one. I ordered from bobjohnson.com, because the people there are a class act who’ve been calmly answering my questions for a long time.

    Some highlights:

    * It has a transflective display. This means that it is emissive, but also uses reflected sunlight to boost brightness, up to 6000 nits. In comparison, my previous thinkpad was 350 nit (unusable sometimes even in shade), and my macbook was 500nit. With this laptop, I can leave the display on 25% brightness and move from a dark basement to hurt-my-skin bright sunlight.

    * It’s ‘fully rugged’, so using it in rain or dust storms should not be an issue. (I lost 4G ram in my thinkpad to dust).

    * It has a shoulder strap ($20 extra) screwed on solidly.

    * It has a touchscreen with stylus. (To use this under ubuntu 18.04 I had to install xserver-xorg-input-evdev and remove xserver-xorg-input-libinput. Note just installing evdev was not enough) I may look like a dweeb, but I prefer this to smudging my screen.

    The laptop I got is a CF-19 MK6. This is several years old and refurbished. The reason I went with this instead of a new toughbook (besides price) is because, as far as I can tell, only the CF-19 MK5 through MK8 have the transflective display. The replacement for the CF-19 (the CF-20) may have a better screen (i’ve not seen it), but it is not transflective and comes in at “only” 1000nit. Same with the slightly larger nonconvertable laptops.

    Mind you, there is (I trust) a reason these screens did not take off – the colors are kind of washed out, and it’s low resolution. But for reading kernel code by the pool without draining the battery in 1 hr, the only thing I can imagine being better is an eink screen.

    The CF-19 is compact: it’s a 10″ (convertible) netbook. This keyboard is more cramped than on my old s100 netbook. I do actually kind of like the keys – they have a good travel depth and a nice click. But it’s weird going back to a full-size keyboard.

    The first time I measured the battery life, it shut down when battery listed 36% remaining, after a mere got 3 hours. Panasonic had advertised 10 hours for this laptop. 3 was unacceptable, and I was about ready to send it back. But, reading the powertop output, I noticed that the sound card was listed as taking tons of battery power. So for my next run I did a powertop –auto-tune, and got over 4 hours battery life. Then I noticed bluetooth radio doing the same, so I did rmmod btusb. These are now all done on startup by systemd. The battery still stops at 35%, which takes getting used to, but it’s acceptable.

    4.5 hours is still limiting, so I picked up a second battery and an external charger. I can charge one battery while using the other, or take both batteries along for a longer trip.

    In summary – i may have found my outdoors laptop. I’d still prefer it be thinner, with a slightly larger and mechanical keyboard, and have 12 hour battery life, delivered on a unicorn…

    (Here is an attempt to show the screen in very bright sunlight. It’s hard to get a good photo, since the camera wants to play its own games) :

    Posted in Uncategorized | 1 Comment

    TPM 2.0 in qemu

    If you want to test software which exploits TPM 2.0 functionality inside the qemu-kvm emulator, this can be challenging because the software stack is still quite new. Here is how I did it.

    First, you need a new enough qemu. The version on Ubuntu xenial does not suffice. The 2.11 version in Ubuntu bionic does. I believe the 2.10 version in artful is also too old, but might be mis-remembering haven’t tested that lately.

    The two pieces of software I needed were libtpms and swtpm. For libtpms I used the tpm2-preview.rev146.v2 branch, and for swtpm I used the tpm2-preview.v2 branch.

    apt -y install libtool autoconf tpm-tools expect socat libssl-dev
    git clone https://github.com/stefanberger/libtpms
    ( cd libtpms &&
      git checkout tpm2-preview.rev146.v2 &&
      ./bootstrap.sh &&
      ./configure --prefix=/usr --with-openssl --with-tpm2 &&
      make && make install)
    git clone https://github.com/stefanberger/swtpm
    (cd swtpm &&
      git checkout tpm2-preview.v2 &&
      ./bootstrap.sh &&
      configure --prefix=/usr --with-openssl --with-tpm2 &&
      make &&
      make install)
    

    For each qemu instance, I create a tpm device. The relevant part of the script I used looks like this:

    #!/bin/bash
    
    i=0
    while [ -d /tmp/mytpm$i ]; do
    let i=i+1
    done
    tpm=/tmp/tpm$i
    
    mkdir $tpm
    echo "Starting $tpm"
    sudo swtpm socket --tpmstate dir=$tpm --tpm2 \
                 --ctrl type=unixio,path=/$tpm/swtpm-sock &
    sleep 2 # this should be changed to a netstat query
    
    next_vnc() {
        vncport=0
        port=5900
        while nc -z 127.0.0.1 $port; do
            port=$((port + 1))
            vncport=$((vncport + 1))
        done
        echo $vncport
    }
    
    nextvnc=$(next_vnc)
    sudo kvm -drive file=${disk},format=raw,if=virtio,cache=none -chardev socket,id=chrtpm,path=/$tpm/swtpm-sock -tpmdev emulator,id=tpm0,chardev=chrtpm -device tpm-tis,tpmdev=tpm0 -vnc :$nextvnc -m 2048
    
    Posted in Uncategorized | 4 Comments

    Tagged window manager views

    I find myself talking about these pretty frequently, and it seems many people have never actually heard about them, so a blog post seems appropriate.

    Window managers traditionally present (for “advanced” users) “virtual” desktops and/or “multiple” desktops. Different window managers will have slightly different implementations and terminology, but typically I think of virtual desktops as being an MxN matrix of screen-sized desktops, and multiple desktops as being some number of disjoint MxN matrices. (In some cases there are only multiple 1×1 desktops) If you’re a MacOS user, I believe you’re limited to a linear array (say, 5 desktops), but even tvtwm back in the early 90s did matrices. In the late 90s Enlightenment offered a cool way of combining virtual and multiple desktops: As usual, you could go left/right/up/down to switch between virtual desktops, but in addition you had a bar across one edge of the screen which you could use to drag the current desktop so as to reveal the underlying desktop. Then you could do it again to see the next underlying one, etc. So you could peek and move windows between the multiple desktops.

    Now, if you are using a tiling window manager like dwm, wmii, or awesome, you may think you have the same kinds of virtual desktops. But in fact what you have is a clever ‘tagged view’ implementation. This lets you pretend that you have virtual desktops, but tagged views are far more powerful.

    In a tagged view, you define ‘tags’ (like desktop names), and assign one or more tags to each window. Your current screen is a view of one or more tags. In this way you can dynamically switch the set of windows displayed.

    For instance, you could assign tag ‘1’ or ‘mail’ to your mail window; ‘2’ or ‘web’ to your browser; ‘3’ or ‘work’ as well as ‘1’ to one terminal, and ‘4’ or ‘notes’ to another terminal. Now if you view tag ‘1’, you will see the mail and first terminal; if you view 1+2, you will see those plus your browser. If you view 2+3, you will see the browser and first terminal but not the mail window.

    As you can see, if you don’t know about this, you can continue to use tagged views as though they were simply multiple desktops. But you can’t get this flexibility with regular multiple or virtual desktops.

    (This may be a case where a video would be worth more than a bunch of text.)

    So in conclusion – when I complain about the primitive window manager on MacOS, I’m not just name-calling. A four-finger gesture to expose the 1xN virtual desktops just isn’t nearly as useful as being able to precisely control which windows I see together on the desktop.

    Posted in Uncategorized | Leave a comment