We are exhibiting at this year’s CeBIT event on March 5-9th, 2013 in Hannover Germany, in conjunction with our partner in the region, Teuto.net and we’re giving away number of free tickets to selected customers and partners. If you are interested in one of these tickets, please contact me at anthony.beckley@canonical.com for more information.

The Canonical/Teuto.net stand will be in the Open Source Arena (Hall 6, Stand F16, (030) and we will be showcasing two enterprise technology areas:

• The Ubuntu Cloud Stack – demonstrating end user access to applications via an OpenStack cloud, powered by Ubuntu,
• Ubuntu Landscape Systems Management – demonstrating ease of management of desktop, server and cloud nodes.

We will be running hourly demonstrations on our stand and attendees have the chance to win a Google Nexus 7 tablet! Simply come to out stand and watch a short demo or your chance to win If you would like to pre-register for a demonstration, email me at anthony.beckley@canonical.com

We look forward to seeing you at the show!

CeBIT draws a live audience of more than 3,000 people from over 100 different countries. In just five days the show delivers a panoramic view of the digital world’s mainstay markets: ICT and Telecommunications, Digital Media also Consumer Electronics.
To learn more about CeBIT click here.

Last time I discussed AppArmor, gave some background and some information on how it can be used. This time I’d like to discuss how AppArmor is used within Ubuntu. The information in this part applies to Ubuntu 12.10 and later, and unless otherwise noted, Ubuntu 12.04 LTS (and because we also push our changes into Debian, much of this will apply to Debian as well).

/etc/apparmor.d

• Ubuntu follows the upstream policy layout and naming conventions and uses the abstractions extensively. A few abstractions are Ubuntu-specific and they are prefixed with ‘ubuntu’. Eg /etc/apparmor.d/abstractions/ubuntu-browsers.
• Ubuntu encourages the use of the include files in /etc/apparmor.d/local in any shipped profiles. This allows administrators to make profile additions and apply overrides without having to change the shipped profile (will need to reload the profile with apparmor_parser, see /etc/apparmor.d/local/README for more information)
• All profiles in Ubuntu use ‘#include <tunables/global>’, which pulls in a number of tunables: ‘@{PROC}’ from ‘tunables/proc’, ‘@{HOME}’ and ‘@{HOMEDIRS}’ from ‘tunables/home’ and @{multiarch} from ‘tunables/multiarch’
• In addition to ‘tunables/home’, Ubuntu utilizes the ‘tunables/home.d/ubuntu’ file so that ‘@{HOMEDIRS}’ is preseedable at installation time, or adjustable via ‘sudo dpkg-reconfigure apparmor’
• Binary caches in /etc/apparmor.d/cache are used to speed up boot time.
• Ubuntu uses the /etc/apparmor.d/disable and /etc/apparmor.d/force-complain directories. Touching (or symlinking) a file with the same name as the profile in one of these directories will cause AppArmor to either skip policy load (eg disable/usr.sbin.rsyslogd) or load in complain mode (force-complain/usr.bin.firefox)

Boot

Policy load happens in 2 stages during boot:

1. within the job of a package with an Upstart job file
2. via the SysV initscript (/etc/init.d/apparmor)

For packages with an Upstart job and an AppArmor profile (eg, cups), the job file must load the AppArmor policy prior to execution of the confined binary. As a convenience, the /lib/init/apparmor-profile-load helper is provided to simplify Upstart integration. For packages that ship policy but do not have a job file (eg, evince), policy must be loaded sometime before application launch, which is why stage 2 is needed. Stage 2 will (re)load all policy. Binary caches are used in both stages unless it is determined that policy must be recompiled (eg, booting a new kernel).

dhclient is a corner case because it needs to have its policy loaded very early in the boot process (ie, before any interfaces are brought up). To accommodate this, the /etc/init/network-interface-security.conf upstart job file is used.

For more information on why this implementation is used, please see the upstart mailing list.

Packaging

AppArmor profiles are shipped as Debian conffiles (ie, the package manager treats them specially during upgrades). AppArmor profiles in Ubuntu should use an include directive to include a file from /etc/apparmor.d/local so that local site changes can be made without modifying the shipped profile. When a package ships an AppArmor profile, it is added to /etc/apparmor.d then individually loaded into the kernel (with caching enabled). On package removal, any symlinks/files in /etc/apparmor.d/disable, /etc/apparmor.d/force-complain and /etc/apparmor.d are cleaned up. Developers can use dh_apparmor to aid in shipping profiles with their packages.

Profiles and applications

Ubuntu ships a number of AppArmor profiles. The philosophy behind AppArmor profiles on Ubuntu is that the profile should add a meaningful security benefit while at the same time not introduce regressions in default or common functionality. Because it is all too easy for a security mechanism to be turned off completely in order to get work done, Ubuntu won’t ship overly restrictive profiles. If we can provide a meaningful security benefit with an AppArmor profile in the default install while still maintaining functionality for the vast majority of users, we may ship an enforcing profile. Unfortunately, because applications are not designed to run under confinement or are designed to do many things, it can be difficult to confine these applications while still maintaining usability. Sometimes we will ship disabled-by-default profiles so that people can opt into them if desired. Usually profiles are shipped in the package that provides the confined binary (eg, tcpdump ships its own AppArmor profile). Some in progress profiles are also offered in the apparmor-profiles package and are in complain mode by default. When filing AppArmor bugs in Ubuntu, it is best to file the bug against the application that ships the profile.

In addition to shipped profiles, some applications have AppArmor integration built in or have AppArmor confinement applied in a non-standard way.

Libvirt

An AppArmor sVirt driver is provided and enabled by default for libvirt managed QEMU virtual machines. This provides strong guest isolation and userspace host protection for virtual machines. AppArmor profiles are dynamically generated in /etc/apparmor.d/libvirt and usually you won’t have to worry about AppArmor confinement. If needed, profiles for the individual machines can be adjusted in /etc/apparmor.d/libvirt/libvirt-<uuid> or in all virtual machines in /etc/apparmor.d/abstractions/libvirt-qemu. See /usr/share/doc/libvirt-bin/README.Debian.gz for details.

LXC

LXC in Ubuntu uses AppArmor to help make sure files in the container cannot access security-sensitive files on the host. lxc-start is confined by its own restricted profile which allows mounting in the container’s tree and, just before executing the container’s init, transitioning to the container’s own profile. See LXC in precise and beyond for details. Note, currently the libvirt-lxc sVirt driver does not have AppArmor support (confusingly, libvirt-lxc is a different project than LXC, but there are longer term plans to integrate the two and/or add AppArmor support to libvirt-lxc).

Firefox

Ubuntu ships a disabled-by-default profile for Firefox. While it is known to work well in the default Ubuntu installation, Firefox, like all browsers, is a very complex piece of software that can do much more than simply surf web pages so enabling the profile in the default install could affect the overall usability of Firefox in Ubuntu. The goals of the profile are to provide a good usability experience with strong additional protection. The profile allows for the use of plugins and extensions, various helper applications, and access to files in the user’s HOME directory, removable media and network filesystems. The profile prevents execution of arbitrary code, malware, reading and writing to sensitive files such as ssh and gpg keys, and writing to files in the user’s default PATH. It also prevents reading of system and kernel files. All of this provides a level of protection exceeding that of normal UNIX permissions. Additionally, the profile’s use of includes allows for great flexibility for tightly confining firefox. /etc/apparmor.d/usr.bin.firefox is a very restricted profile, but includes both /etc/apparmor.d/local/usr.bin.firefox and /etc/apparmor.d/abstractions/ubuntu-browsers.d/firefox. /etc/apparmor.d/abstractions/ubuntu-browsers.d/firefox contains other include files for tasks such as multimedia, productivity, etc and the file can be manipulated via the aa-update-browser command to add or remove functionality as needed.

Chromium

A complain-mode profile for chromium-browser is available in the apparmor-profiles package. It uses the same methodology as the Firefox profile (see above) with a strict base profile including /etc/apparmor.d/abstractions/ubuntu-browsers.d/chromium-browser whichcan then include any number of additional abstractions (also configurable via aa-update-browser).

Lightdm guest session

The guest session in Ubuntu is protected via AppArmor. When selecting the guest session, Lightdm will transition to a restrictive profile that disallows access to others’ files.

libapache2-mod-apparmor

The libapache2-mod-apparmor package ships a disabled-by-default profile in /etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2. This profile provides a permissive profile for Apache itself but allows the administrator to add confinement policy for individual web applications as desired via AppArmor’s change_hat() mechanism (note, apache2-mpm-prefork must be used) and an example profile for phpsysinfo is provided in the apparmor-profiles package. For more information on how to use AppArmor with Apache, please see /etc/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 as well as the upstream documentation.

PAM

AppArmor also has a PAM module which allows great flexibility in setting up policies for different users. The idea behind pam_apparmor is simple: when someone uses a confined binary (such as login, su, sshd, etc), that binary will transition to an AppArmor role via PAM. Eg, if ‘su’ is configured for use with pam_apparmor, when a user invokes ‘su’, PAM is consulted and when the PAM session is started, pam_apparmor will change_hat() to a hat that matches the username, the primary group, or the DEFAULT hat (configurable). These hats (typically) provide rudimentary policy which declares the transition to a role profile when the user’s shell is started. The upstream documentation has an example of how to put this all together for ‘su’, unconfined admin users, a tightly confined user, and somewhat confined default users.

aa-notify

aa-notify is a very simple program that can alert you when there are denials on the system. aa-notify will report any new AppArmor denials by consulting /var/log/kern.log (or /var/log/audit/audit.log if auditd is installed). For desktop users who install apparmor-notify, aa-notify is started on session start via /etc/X11/Xsession.d/90apparmor-notify and will watch the logs for any new denials and report them via notify-osd. Server users can add something like ‘/usr/bin/aa-notify -s 1 -v’ to their shell startup files (eg, ~/.profile) to show any AppArmor denials within the last day whenever they login. See ‘man 8 aa-notify’ for details.

Current limitations

For all AppArmor can currently do and all the places it is used in Ubuntu, there are limitations in AppArmor 2.8 and lower (ie, what is in Ubuntu and other distributions). Right now, it is great for servers, network daemons and tools/utilities that process untrusted input. While it can provide a security benefit to client applications, there are currently a number of gaps in this area:

• Access to the DBus system bus is on/off and there is no mediation of the session bus or any other buses that rely on Unix abstract sockets, such as the accessibility bus
• AppArmor does not provide environment filtering beyond having the ability to clear the very limited set of glibc secure-exec variables
• Display management mediation is not present (eg, it doesn’t protect against X snooping)
• Networking mediation is too coarse-grained (eg you can allow ‘tcp’ but cannot restrict the binding port, integrate with a firewall or utilize secmark)
• LXC/containers support is functional, but not complete (eg, it doesn’t allow different host and container policy for the same binary at the same time)
• AppArmor doesn’t currently integrate with other client technologies that might be useful (eg gnome-keyring, signon/gnome-online-accounts and gsettings) and there is no facility to dynamically update a profile via a user prompt like a file/open dialog

Next time I’ll discuss ongoing and future work to address these limitations.

Will the real debug package please stand up

Description-en: GNOME multi-protocol chat and call client (debug symbols) Instant messaging program supporting text, voice, video, file transfers and inter-application communication over many different protocols, including: AIM, MSN, Google Talk (Jabber/XMPP), Facebook, Yahoo!, Salut, Gadu-Gadu, Groupwise, ICQ and QQ. This package contains the Empathy IM application and account manager.

Description: debug symbols for package empathy Instant messaging program supporting text, voice, video, file transfers and inter-application communication over many different protocols, including: AIM, MSN, Google Talk (Jabber/XMPP), Facebook, Yahoo!, Salut, Gadu-Gadu, Groupwise, ICQ and QQ. This package contains the Empathy IM application and account manager.

You can use either the -dbg or the -dbgsym packages, but you can't use both.

• Normal debian packages end in ".deb" (for example: empathy-dbg_3.6.0.3-0ubuntu1_amd64.deb)
• The packages on ddebs.ubuntu.com end in ".ddeb" (empathy-dbgsym_3.6.3-0ubuntu2_amd64.ddeb)

dbg packages

• The symbols it contains should be converted to useful function names (instead of being question marks)
• The source file names should be displayed (instead of paths to shared object (.so) and other binary files)

dbgsym packages

Automation \o/

1. Creating the dbgsym binary packages (this part seems to be fully implemented)
2. Publishing them to ddebs.ubuntu.com (this part may not be fully implemented)

Binary package oriented

Conflicts - a closer look

How dbgsym packages are created

ddeb: Huh? What?

• Posting them on ddebs.ubuntu.com 
• Not posting them on archive.ubuntu.com

Enough already: which to use?

• The trend is towards automatic generation of dbgsym packages and automatic posting of them to separate ddebs archive like http://ddebs.ubuntu.com
• Such ddeb archives should contain more debug symbol packages than the traditional dbg packages because they are automatically created for all appropriate packages (instead of relying on maintainers to add a dbg package) so you get more
• Such ddeb archives certainly should contain equivalents for the existing dbg packages as well, so you lose nothing
• If you want, you can just get the debug symbols you need, since dbgsym packages are more granular 

Using dbgsym

A caveat

Footnotes

Earlier we announced[1] that Canonical had worked this cycle to enable more frequent releases to the Ubuntu Cloud Images stable and long term releases. As of today, we are pleased to announce that Ubuntu Server 10.04 LTS, 11.10, 12.04 LTS and 12.10 are now fully enabled to follow the kernel SRU schedule with automated update releases. This means that within 24 hours of most SRU kernel releases, a new Ubuntu Cloud Image will be published.

Please note: with this change, the release notes have been moved the http://cloud-images.ubuntu.com/releases website. You can find them under <SUITE>/release/unpacked/release-notes.txt. Effective today, all emails announcing these new updates are discontinued. 

However, at this time, 12.04 LTS and 12.10 Cloud Images are not yet being promoted automatically to Windows Azure. We expect that as Windows Azure moves closer to General Availability (i.e. moves out of preview status) that automatic promotion will be enabled.

Please use either Cloud-Images[2], the AMI Finder[3], the RSS feed[4], or "ubuntu-cloudimg-query" from the Cloud-Utils packages to find the latest released images.

[1] http://blog.utlemming.org/2013/01/ubuntu-cloud-images-automated-release.html
     https://lists.ubuntu.com/archives/ubuntu-cloud-announce/2013-January/000045.html
     https://lists.ubuntu.com/archives/ubuntu-cloud/2013-January/000879.html
     https://groups.google.com/forum/?fromgroups=#!topic/ec2ubuntu/Mg-qpfguE10
[2] http://cloud-images.ubuntu.com/releases
[3] http://cloud-images.ubuntu.com/locator/ec2/
[4] http://cloud-images.ubuntu.com/rss/

Who doesn't love a good fruit salad?

Valgrind

Valgrind is a workhorse of looking at C programs at run time. It has many capabilities. The one we are interested in here is its 'memcheck' tool, which is used to find memory leaks [2]. 

For example, you can run valgrind --tool=memcheck /usr/bin/foo [3] and a report is generated:

• The report shows memory leaks created while running /usr/bin/foo. This includes leaks in foo's code and leaks in any code executed by foo, for example called functions that exist in external shared libraries. 
• For each leak, the log contains a stack trace that shows the sequence of function calls that created the memory leak. You can follow the stack trace by hand and find the code errors that lead to the memory leak, except for one issue: raw stack traces are like swiss cheese with lots of missing bits.

Raw stack traces are like swiss cheese

The problem with a raw stack trace is that it is full of holes.

What's missing? 

• In a  raw valgrind stack trace, one does not see function names or source code file names
• Instead one sees question marks for function names and executable file names (frequently shared object library files) instead of source file names

Fortunately, valgrind can display the function names and source code file names if the debug symbols are present (more on this below). 

Let's take a look at some real-life valgrind output and compare how it looks before and after debug symbols are present.

Here's a line from a raw valgrind memory leak stack trace:

==2874==    by 0x51E727D: ??? (in /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.600.0)

And here's how the same line looks with debug symbols for libgtk-3.0:

==3643==    by 0x51E727D: gtk_menu_item_class_intern_init (gtkmenuitem.c:427)

In the raw example: 

• The function name is unknown: ???
• The shared object file name in which the function lives is listed: /usr/lib/x86_64-linux-gnu/libgtk-3.so.0.600.0

In the debug symbols example:

• The function name is shown:  gtk_menu_item_class_intern_init
• The source code file name is shown: gtk_menu_item_class_intern_init:427 (It even knows the line number: 427)

Clearly, the second stack trace is much more useful for a human being who wants find and fix a memory leak. The question therefore is: how can we easily obtain the debug symbols that will make our valgrind stack traces useful? That's where apport comes in.

The apport connection

• Find the tree of packages that nm-applet needs to run (that is, the package that owns nm-applet and that package's direct and indirect dependencies)
• Find the available debug symbol packages for them and make their debug symbol files available in a temporary directory (in /tmp, unless you specify otherwise) called the 'sandbox'
• The debug symbols packages are not installed, but extracted into the sandbox directory
• The sandbox directory is deleted after use (again, unless you specified your own sandbox directory) 

Apport and valgrind: two peas in a pod

In Ubuntu 13.04 (Raring), the apport-valgrind package is introduced. The apport code that creates the sandbox was moved from apport-retrace into a new apport python module: apport/sandboxutils.py, which makes it available for new code, such as apport-valgrind.

So here's what apport-valgrind does:

• It uses apport/sandboxutils to obtain and extract all available debug symbol packages into the sandbox directory for your (packaged) executable
• It calls valgrind and tells it to also look in the sandbox directory (with the new --extra-debuginfo-path argument)
• When valgrind is done, the sandbox directory is deleted (there are options for persistent sandboxes -- useful when you want to use valgrind repeatedly)
• The valgrind log file is created in the current directory: ./vagrind.log

So with a single command like this: apport-valgrind nm-applet, you can generate a valgrind memory check log of stack traces with all available debug symbols used, with no new debug packages installed on the system and all debug  files (the sandbox) automatically deleted after execution.

So, apport and valgrind, a case of two peas in a pod :)

All of these strained metaphors about food make me hungry: time for lunch.

Footnotes

[1] Install it with sudo apt-get install apport-valgrind. You will also want to install valgrind and valgrind-dbgsym: sudo apt-get install valgrind valgrind-dbgsym

[2] A memory leak occurs in C when you allocate memory on the heap and fail to deallocate ('free') the memory. Such memory is not available for use by any process until the the code's main process terminates. If the process does not terminate (perhaps it is a daemon, or a piece of code that is persistent, such as a part of the desktop GUI) the memory is essentially lost forever.

[3] One picks the valgrind tool with --tool=TOOLNAME. The memcheck tool is the default, so there is no actual need to specify it.

[4] If the executable is not in a debian package, apport does not know how to find and get all appropriate debug packages. There are other approaches to automate this. See future posts here.

Appy polly loggies for the super long delay between episodes, but I finally carved out some time for our exciting dénouement in the memory leak detection series. Past episodes included detection and analysis.

As a gentle reminder, during analysis, we saw the following block of code:

 874                 GSList *dupes = NULL;
 875                 const char *path;
 876 
 877                 dupes = g_object_get_data (G_OBJECT (dup_data.found), "dupes");
 878                 path = nm_object_get_path (NM_OBJECT (ap));
 879                 dupes = g_slist_prepend (dupes, g_strdup (path));
 880 #endif
 881                 return NULL;

And we concluded with:

Is it safe to just return NULL without doing anything to dupes? maybe that’s our leak?
We can definitively say that it is not safe to return NULL without doing anything to dupes. We definitely allocated memory, stuck it into dupes, and then threw dupes away. This is our smoking gun.

But there’s a twist! Eagle-eyed reader Dave Jackson (a former colleague of mine from HP, natch) spotted a second leak! It turns out that line 879 was exceptionally leaky during its inception. As Dave points out, the call to g_slist_prepend() passes g_strdup() as an argument. And as the documentation says:

Duplicates a string. If str is NULL it returns NULL. The returned string should be freed with g_free() when no longer needed.

In memory-managed languages like python, the above idiom of passing a function as an argument to another function is quite common. However, one needs to be more careful about doing so in C and C++, taking great care to observe if your function-as-argument allocates memory and returns it. There is no mechanism in the language itself to automatically free memory in the above situation, and thus the call to g_strdup() seems like it also leaks memory. Yowza!

So, what to do about it?

The basic goal here is that we don’t want to throw dupes away. We need to actually do something with it. Here again are the 3 most pertinent lines.

 877                 dupes = g_object_get_data (G_OBJECT (dup_data.found), "dupes");
 878                 path = nm_object_get_path (NM_OBJECT (ap));
 879                 dupes = g_slist_prepend (dupes, g_strdup (path));
 881                 return NULL;

Let’s break these lines down.

1. On line 877, we retrieve the dupes list from the dup_data.found object
2. Line 878 gets a path to the duplicate wifi access point
3. Finally, line 879 adds the duplicate access point to the old dupes list
4. Line 881 throws it all away!

To me, the obvious thing to do is to change the code between lines 879 and 881, so that after we modify the duplicates list, we save it back into the dup_data object. That way, the next time around, the list stored inside of dup_data will have our updated list. Makes sense, right?

As long as you agree with me conceptually (and I hope you do), I’m going to take a quick shortcut and show you the end result of how to store the new list back into the dup_data object. The reason for the shortcut is that we are now deep in the details of how to program using the glib API, and like many powerful APIs, the key is to know which functions are necessary to accomplish your goal. Since this is a memory leak tutorial and not a glib API tutorial, just trust me that the patch hunk will properly store the dupes list back into the dup_data object. And if it’s confusing, as always, read the documentation for g_object_steal_data and g_object_set_data_full.

@@ -706,14 +706,15 @@
 +		GSList *dupes = NULL;
 +		const char *path;
 +
-+		dupes = g_object_get_data (G_OBJECT (dup_data.found), "dupes");
++		dupes = g_object_steal_data (G_OBJECT (dup_data.found), "dupes");
 +		path = nm_object_get_path (NM_OBJECT (ap));
 +		dupes = g_slist_prepend (dupes, g_strdup (path));
++		g_object_set_data_full (G_OBJECT (dup_data.found), "dupes", (gpointer) dupes, (GDestroyNotify) clear_dupes_list);
 +#endif
  		return NULL;
  	}

If the above patch format looks funny to you, it’s because we are changing a patch.

-+		dupes = g_object_get_data (G_OBJECT (dup_data.found), "dupes");
++		dupes = g_object_steal_data (G_OBJECT (dup_data.found), "dupes");

This means the old patch had the line calling g_object_get_data() and the refreshed patch now calls g_object_steal_data() instead. Likewise…

++		g_object_set_data_full (G_OBJECT (dup_data.found), "dupes", (gpointer) dupes, (GDestroyNotify) clear_dupes_list);

The above call to g_object_set_data_full is a brand new line in the new and improved patch.

Totally clear, right? Don’t worry, the more sitting and contemplating of the above you do, the fuller and more awesomer your neckbeard grows. Don’t forget to check it every once in a while for small woodland creatures who may have taken up residence there.

And thus concludes our series on how to detect, analyze, and fix memory leaks. All good? Good.

waiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiit!!!!!!!11!

I can hear the observant readers out there already frantically scratching their necks and getting ready to point out the mistake I made. After all, our newly refreshed patch still contains this line:

 +		dupes = g_slist_prepend (dupes, g_strdup (path));

And as we determined earlier, that’s our incepted memory leak, right? RIGHT!??

Not so fast. Take a look at the new line in our updated patch:

++		g_object_set_data_full (G_OBJECT (dup_data.found), "dupes", (gpointer) dupes, (GDestroyNotify) clear_dupes_list);

See that? The last argument to g_object_set_data_full() looks quite interesting indeed. It is in fact, a cleanup function named clear_dupes_list(), which according to the documentation, will be called

when the association is destroyed, either by setting it to a different value or when the object is destroyed.

In other words, when we are ready to get rid of the dup_data.found object, as part of cleaning up that object, we’ll call the clear_dupes_list() function. And what does clear_dupes_list() do, praytell? Why, let me show you!

static void
clear_dupes_list (GSList *list)
{
	g_slist_foreach (list, (GFunc) g_free, NULL);
	g_slist_free (list);
}

Trés interesante! You can see that we iterate across the dupes list, and call g_free on each of the strings we did a g_strdup() on before. So there wasn’t an inception leak after all. Tricky tricky.

A quick digression is warranted here. Contrary to popular belief, it is possible to write object oriented code in plain old C, with inheritance, method overrides, and even some level of “automatic” memory management. You don’t need to use C++ or python or whatever the web programmers are using these days. It’s just that in C, you build the OO features you want yourself, using primitives such as structs and function pointers and smart interface design.

Notice above we have specified that whenever the dup_data object is destroyed, it will free the memory that was stuffed into it. Yes, we had to specify the cleanup function manually, but we are thinking of our data structures in terms of objects.

In fact, the fancy features of many dynamic languages are implemented just this way, with the language keeping track of your objects for you, allocating them when you need, and freeing them when you’re done with them.

Because at the end of the day, it is decidedly not turtles all the way down to the CPU. When you touch memory in in python or ruby or javascript, I guarantee that something is doing the bookkeeping on your memory, and since CPUs only understand assembly language, and C is really just pretty assembly, you now have a decent idea of how those fancy languages actually manage memory on your behalf.

And finally now that you’ve seen just how tedious and verbose it is to track all this memory, it should no longer be a surprise to you that most fancy languages are slower than C. Paperwork. It’s always paperwork.

And here we come to the upshot, which is, tracking down memory leaks can be slow and time consuming and trickier than first imagined (sorry for the early head fake). But with the judicious application of science and taking good field notes, it’s ultimately just like putting a delicious pork butt in the slow cooker for 24 hours. Worth the wait, worth the effort, and it has a delicious smoky sweet payoff.

Happy hunting!

kalua pork + homemade mayo and cabbage

I’ve been playing around with LXC over the past few weeks and one of the things I tried out was limiting the memory that the container is allowed to use. I didn’t plan on explaining all the ins-and-outs of LXC here, but a short description is that LXC provides a virtualizedish environment that is more than a chroot gives you, but less than a full-blown virtual machine. If you want more details, please check out stgraber’s blog post about LXC in 12.04.

Kernel Configuration

The first thing you need to do in order to limit memory usage for LXC is make sure your kernel is properly configured, you need the following flag enabled:

CONFIG_CGROUP_MEM_RES_CTLR=y

If you plan on also limiting swap space usage, you’ll also need:

CONFIG_CGROUP_MEM_RES_CTLR_SWAP=y

These flags are enabled for me in my 12.10 kernel (3.5.0-22) and so presumably you’ll have them in 12.04.

Setting the Cap

First, I’m going to create my container. Following the instructions from stgraber’s blog post, and calling the container “memlimit”:

sudo lxc-create -t ubuntu -n memlimit

Once the container is built, we need to modify the config files. Look at /var/lib/lxc/memlimit/config. We need to add a few lines to that file. I’m going to limit memory to 512M and total usage or memory + swap to 1G. Note the second setting is for overall memory + swap, not just swap usage.

lxc.cgroup.memory.limit_in_bytes = 512M
lxc.cgroup.memory.memsw.limit_in_bytes = 1G

Now let’s start the container and get some debug info out of it to make sure these were set:

sudo lxc-start -n memlimit -l debug -o debug.out

The debug.out file will show up wherever you ran lxc-start from, so let’s see if it picked up our limits:

lxc-start 1359136997.617 DEBUG lxc_conf - cgroup 'memory.limit_in_bytes' set to '512M'
...
lxc-start 1359136997.617 DEBUG lxc_conf - cgroup 'memory.memsw.limit_in_bytes' set to '1G'

Looks good to me!

Note, I tried setting this once to 1.5G and it seems that the fields are only happy with whole numbers, it complained about 1.5G. That error message appeared in the same debug log I used above.

A list of more of the values you can set in here is available here.

Measuring Memory Usage

The view of /proc/meminfo inside the container and outside the container are the same. This means that you cannot rely on tools like top to show how much memory the container is using. In other words, when run inside the container top will correctly only show processes inside the container, it will also show overall memory usage for the entire system. To get valid information, instead we need to examine some files in /sys:

Current memory usage:
/sys/fs/cgroup/memory/lxc/memlimit/memory.usage_in_bytes

Current memory + swap usage:
/sys/fs/cgroup/memory/lxc/memlimit/memory.memsw.usage_in_bytes

Maximum memory usage:
/sys/fs/cgroup/memory/lxc/memlimit/memory.max_usage_in_bytes

Maximum memory + swap usage:
/sys/fs/cgroup/memory/lxc/memlimit/memory.memsw.max_usage_in_bytes

You can use expr to show it as kb or mb which is easier to read for me:

expr `cat memory.max_usage_in_bytes` / 1024
8188

What Happens When the Limit is Reached?

When the cap is reached, the container simply behaves as if the system ran out of memory. Calls to malloc will start failing (returning -1), leading to strange and bad things happening. Dialog boxes may not open, you may not be able to save files, and more than likely where people didn’t bother to check the returned value from malloc (aka, everyone), you’ll get segfaults. You can alleviate the pressure like normal systems do, by enabling swap inside the container, but once that limit is reached, you’ll have the same problem. In this case the host system’s kernel should start firing up the OOM killer and killing stuff inside the container.

Here is my extremely simple test program to drive up memory usage, install gcc in your container and you can try it too:

#include 
#include 

int main(void) {
    int i;
    for (i=0; i<65536; i++) {
        char *q = malloc(65536);
        printf ("Malloced: %ld\n", 65536*i);
    }
    sleep(9999999);
}

You can simply compiled with: gcc -o foo foo.c

I used the following simple shell construct to watch the memory usage. This needs to be run outside the container and I ran it from the /sys directory mentioned above:

while true; do echo -n "Mem Usage (mb): " \&\& expr `cat memory.usage_in_bytes` / 1024 / 1024; echo -n "Mem+swap Usage (mb): " \&\& expr `cat memory.memsw.usage_in_bytes` / 1024 / 1024; sleep 1; done

With the above shell script runnint, I fired up a bunch of copies of foo one bye one. Here’s the memory usage from that script:

Running a few copies:

Mem+swap Usage (mb): 825
Mem Usage (mb): 511
Mem+swap Usage (mb): 859
Mem Usage (mb): 511

A new copy of foo is starting:

Mem+swap Usage (mb): 899
Mem Usage (mb): 511
Mem+swap Usage (mb): 932
Mem Usage (mb): 511
Mem+swap Usage (mb): 1010
Mem Usage (mb): 511

The OOM killer just said “Nope!”

Mem+swap Usage (mb): 814
Mem Usage (mb): 511
Mem+swap Usage (mb): 825
Mem Usage (mb): 511

At the point where the OOM killer fired up, I see this in my container:
[1] Killed ./foo

So the limits are set, and they’re working.

Conclusion

If you are using LXC or considering using LXC, you can use a memory limit to protect the host from a container run amok. You could also use it to test your code in an artificially restricted environment. In either case, try the tools above and let me know how it works for you.

Traditionally, updates for the stable release and long term stable release Cloud Images have been on an ad-hoc basis; reasons for releasing new images were generally restricted to security, critical bugs, and stale images. This ad-hoc update cycle meant that updated images were only released every three months or so, and for older releases, as often as six months.

While quality has always been a concern and top priority, during this cycle, Canonical has worked to vastly improve the QA infrastructure to support our Cloud Images. For example, when a new kernel is released, the daily build for that image is now put through the complete QA process. This change in process has allowed us to identify and automatically evaluate whether or not an image is a good candidate for update release.


As such, we are pleased to announce in the next few weeks, we will be turning on automated updates for Ubuntu Server 10.04 LTS, 11.10, 12.04 LTS, and 12.10. This means that approximately every three to four weeks, a new, freshened image will be released. The release cadence will follow the kernel SRU process.

The first updated image to be released under this process was 10.04 LTS[1].

There are a variety of ways to find the released Cloud Images. The two easiest ways are to go the AMI Finder[2] or use http://cloud-images.ubuntu.com/releases/<SUITE>/release. For example, http://cloud-images.ubuntu.com/releases/lucid/release would bring you to the last AMI's for Ubuntu Server 10.04 LTS.

Due to this change, we will discontinuing the email notifications of updated images to the various email lists for updated images. At UDS-R in Copenhagen[3], we discussed email notifications and the decision was reached to discontinue them. Replacing email notification is the RSS feed[4] and release notes (example from 10.04 LTS)[5].

As Cloud Image suites are migrated to automated releases, we will follow up on this announcement.

Finally, for 12.04 LTS and later, this change will introduce lock-step update releases with Windows Azure. As Windows Azure moves towards GA, we have been working to have the same releases for the Ubuntu Server Cloud Images on both EC2 and Windows Azure.

As always, your feedback is most appreciated. Please feel free to follow on either this post or to email concerns direct to me.

[1] http://cloud-images.ubuntu.com/releases/lucid/release-20130124/
[2] http://cloud-images.ubuntu.com/locator/ec2/
[3] http://blueprints.launchpad.net/ubuntu/+spec/servercloud-r-cloudtesting
[4] http://cloud-images.ubuntu.com/rss/
[5] http://cloud-images.ubuntu.com/releases/lucid/release-20130124/unpacked/release_notes.txt

We are pleased to announce the availability of beta Vagrant Cloud Images. These images have been customized to work with the Vagrant development environment, and are based on the Ubuntu Cloud Images. As such, these are vanilla images. They do, however, have the Virtualboxguest additions found in the Universe archive (required for Vagrant integration). 

For those who use Vagrant, your feedback is essential. Please feel free to send feedback via the ubuntu-cloud@lists.ubuntu.com mailing list.

The images are approximately 256M in size, and are configured for 512MB of RAM. They use a custom cloud-init user-data to drive the first boot. And of course, they have the vagrant user with vagrant insecure SSH key pre-installed. During the beta period, we will not be promoting any of the Vagrant boxes with the regular releases of the Ubuntu Cloud Images and will only publish the daily image builds; after the beta period these images will be promoted with the releases.

To kick the tires on the Vagrant images, take a look at http://cloud-images.ubuntu.com/vagrant. I will be working with the fine folks at Vagrant to get the official Ubuntu Vagrant images listed at  http://www.vagrantbox.es/

If you are interested in learning about the Vagrant development environment, head on over to Vagrant for more information.

After missing my weekly live Ubuntu and Community Management video Q&A last week due to exhibiting at CES, I will be doing this week’s live video Q&A on Monday 14th January 2013 (tomorrow) at 7pm UTC (click here for the time in your location). The day is different this week as I need to join a sprint later this week.

I will be kicking off the session with a summary of Ubuntu at CES and a summary of the response to Ubuntu on phones in general as well next steps. We will then get into the Q&A, and as ever, you are welcome to ask me absolutely anything on the show.

To join, head over to Ubuntu On Air at 7pm UTC on Monday 14th January 2013 and you can ask your questions in the embedded chat box.

Look forward to seeing you all there!

A lot of exciting work has been going on with AppArmor and this multipart series will discuss where AppArmor is now, how it is currently used in Ubuntu and how it fits into the larger application isolation story moving forward.

Brief History and Background

AppArmor is a Mandatory Access Control (MAC) system which is a Linux Security Module (LSM) to confine programs to a limited set of resources. AppArmor’s security model is to bind access control attributes to programs rather than to users. AppArmor confinement is provided via profiles loaded into the kernel. AppArmor profiles can be in one of two modes: enforcement and complain. Profiles loaded in enforcement mode will result in enforcement of the policy defined in the profile as well as reporting policy violation attempts (either via syslog or auditd) such that what is not allowed in policy is denied. Profiles in complain mode will not enforce policy but instead report policy violation attempts. AppArmor is typically deployed on systems as a targeted policy where only some (eg high risk) applications have an AppArmor profile defined, but it also supports system wide policy.

Some defining characteristics of AppArmor are that it:

• is root strong
• is path-based
• allows for mixing of enforcement and complain mode profiles
• uses include files to ease development
• is very lightweight in terms of resources
• is easy to learn
• is relatively easy to audit

AppArmor is an established technology first seen in Immunix and later integrated into SUSE and Ubuntu and their derivatives. AppArmor is also available in Debian, Mandriva, Arch, PLD, Pardus and others. Core AppArmor functionality is in the mainline Linux kernel starting with 2.6.36. AppArmor maintenance and development is ongoing.

An example AppArmor profile

Probably the easiest way to describe what AppArmor does and how it works is to look at an example, in this case the profile for tcpdump on Ubuntu 12.04 LTS:

#include <tunables/global>
/usr/sbin/tcpdump {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/user-tmp>
  capability net_raw,
  capability setuid,
  capability setgid,
  capability dac_override,

  network raw,
  network packet,

  # for -D
  capability sys_module,
  @{PROC}/bus/usb/ r,
  @{PROC}/bus/usb/** r,

  # for finding an interface
  @{PROC}/[0-9]*/net/dev r,
  /sys/bus/usb/devices/ r,
  /sys/class/net/ r,
  /sys/devices/**/net/* r,

  # for tracing USB bus, which libpcap supports
  /dev/usbmon* r,
  /dev/bus/usb/ r,
  /dev/bus/usb/** r,

  # for init_etherarray(), with -e
  /etc/ethers r,

  # for USB probing (see libpcap-1.1.x/
  # pcap-usb-linux.c:probe_devices())
  /dev/bus/usb/**/[0-9]* w,

  # for -z
  /bin/gzip ixr,
  /bin/bzip2 ixr,

  # for -F and -w
  audit deny @{HOME}/.* mrwkl,
  audit deny @{HOME}/.*/ rw,
  audit deny @{HOME}/.*/** mrwkl,
  audit deny @{HOME}/bin/ rw,
  audit deny @{HOME}/bin/** mrwkl,
  owner @{HOME}/ r,
  owner @{HOME}/** rw,

  # for -r, -F and -w
  /**.[pP][cC][aA][pP] rw,

  # for convenience with -r (ie, read 
  # pcap files from other sources)
  /var/log/snort/*log* r,

  /usr/sbin/tcpdump r,

  # Site-specific additions and overrides. See 
  # local/README for details.
  #include <local/usr.sbin.tcpdump>
}

This profile is representative of traditional AppArmor profiling for a program that processes untrusted input over the network. As can be seen:

• profiles are simple text files
• comments are supported in the profile
• absolute paths as well as file globbing can be used when specifying file access
• various access controls for files are present. From the profile we see ‘r’ (read), ‘w’ (write), ‘m’ (memory map as executable), ‘k’ (file locking), ‘l’ (creation hard links), and ‘ix’ to execute another program with the new program inheriting policy. Other access rules also exists such as ‘Px’ (execute under another profile, after cleaning the environment), ‘Cx’ (execute under a child profile, after cleaning the environment), and ‘Ux’ (execute unconfined, after cleaning the environment)
• access controls for capabilities are present
• access controls for networking are present
• explicit deny rules are supported, to override other allow rules (eg access to @{HOME}/bin/bad.sh is denied with auditing due to ‘audit deny @{HOME}/bin/** mrwkl,’ even though general access to @{HOME} is permitted with ‘@{HOME}/** rw,’)
• include files are supported to ease development and simplify profiles (ie #include <abstractions/base>, #include <abstractions/nameservice>, #include <abstractions/user-tmp>, #include <local/usr.sbin.tcpdump>)
• variables can be defined and manipulated outside the profile (#include <tunables/global> for @{PROC} and @{HOME})
• AppArmor profiles are fairly easy to read and audit

Complete information on the profile language can be found in ‘man 5 apparmor.d’ as well as the AppArmor wiki.

Updating and creating profiles

AppArmor uses the directory heirarchy as described in policy layout, but most of the time, you are either updating an existing profile or creating a new one and so the files you most care about are in /etc/apparmor.d.

The AppArmor wiki has a lot of information on debugging and updating existing profiles. AppArmor denials are logged to /var/log/kern.log (or /var/log/audit/audit.log if auditd is installed). If an application is misbehaving and you think it is because of AppArmor, check the logs first. If there is an AppArmor denial, adjust the policy in /etc/apparmor.d, then reload the policy and restart the program like so:

$ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.foo
$ sudo apparmor_parser -a /etc/apparmor.d/usr.bin.foo
$ <restart application>

Oftentimes it is enough to just reload the policy without unloading/loading the profile or restarting the application:

$ sudo apparmor_parser -r /etc/apparmor.d/usr.bin.foo

Creating a profile can be done either with tools or by hand. Due to the current pace and focus of development, the tools are somewhat behind and lack some features. It is generally recommended that you profile by hand instead.

When profiling, keep in mind that:

• AppArmor provides an additional permission check to traditional Discretionary Access Controls (DAC). DAC is always checked in addition to the AppArmor permission checks. As such, AppArmor cannot override DAC to provide more access than what would be normally allowed.
• AppArmor normalizes path names. It resolves symlinks and considers each hard link as a different access path.
• AppArmor evaluates file access by pathname rather than using on disk labeling. This eases profiling since AppArmor handles all the labelling behind the scenes.
• Deny rules are evaluated after allow rules and cannot be overridden by an allow rule.
• Creation of files requires the create permission (implied by w) on the path to be created. Separate rules for writing to the directory of where the file resides are not required. Deletion works like creation but requires the delete permission (implied by w). Copy requires ‘r’ of the source with create and write at the destination (implied by w). Move is like copy, but also requires delete at source.
• The profile must be loaded before an application starts for the confinement to take effect. You will want to make sure that you load policy during boot before any confined daemons or applications.
• The kernel will rate limit AppArmor denials which can cause problems while profiling. You can avoid this be installing auditd or by adjusting rate limiting in the kernel:

  $ sudo sysctl -w kernel.printk_ratelimit=0

Resources

There is a lot of documentation on AppArmor (though some is still in progress):

• AppArmor upstream documentation
• Debugging AppArmor in Ubuntu
• apparmor.d man page
• apparmor man page
• Ubuntu AppArmor Documentation

Next time I’ll discuss the specifics of how Ubuntu uses AppArmor in the distribution.

Thanks to Seth Arnold and John Johansen for their review.

For sometime people have been asking me "when will Cloud Images sport a Twitter account?" Well, wait no longer, because the Ubuntu Cloud Image Builder now has a Twitter Account.

The Cloud Image process will now Tweet when a new image is build and published -- dailies, new release updates and new versions being releases. For right we're only Tweeting EC2 information, but once Windows Azure goes GA, we'll start Tweeting that too.

So in the meantime, you can follow our faithful Cloud Builder as it tweets merrily its build progress at @UbuCloudImages. But I'll have to warn you, the Cloud Builder won't response to tweets, so we're not snubbing you if there is no response.

If Twitter isn't your cup of tea, or coffee, or <insert liquid refreshment here>, how about RSS. A while back in November, we introduced RSS feeds for the Ubuntu Cloud Images.

There is a feed for both released images and dailies. The feeds are really simple: they show all the builds that are available. This is a great way to track new releases of the Ubuntu Cloud Images if you don't want want to follow Twitter, hate checking your email or you don't care much for reading our announcement emails.

Anyway, enjoy the RSS.

• 12.04.1: http://cloud-images.ubuntu.com/azure/precise/20121218/
• 12.10: http://cloud-images.ubuntu.com/azure/quantal/20121218/

• hv-kvp-daemon-init: handles hypervisor communication with Ubuntu
• walinuxagent: Windows Azure Linux provisioning agent and Azure fabric registration agent
• A kernel based on 3.7 or backports of the HV stack Ubuntu 13.04 kernels support the HV stack normally.
• Install the linux-tools-common package.
• 12.04 and 12.10 Ubuntu kernels will need the linux-backports-hv-{precise,quantal}-virtual package installed. This package is a complete backport of the _entire_ HV stack from Ubuntu 13.04.
• Set /etc/apt/sources.list to use the hosted-in-Azure Ubuntu mirrors (http://azure.archive.ubuntu.com), which will use the speedy mirrors local to your Azure virtual machine. WARNING: these mirrors are dreadfully slow outside Azure.

Special thanks

Last week I was running some cairo perf traces on the Nexus7. Cairo-perf traces are a great way to measure 2d graphics performance and to use those numbers to measure the effects of code, hardware, or driver changes. One other cool thing is that with this tool you can do a benchmark on something like Chromium or Firefox without even needing the application installed.

The purpose of this post is to briefly explain how to build the traces, how to run the tools on Ubuntu, and finally a quick look at some results on the Nexus7.

Before running the tools you need to get setup and build the traces. A full clone and build will use several gigs of disk space. Since the current N7 image only builds a 6G or so filesystem, you may want to build the traces in a pbuilder. The disk I/O on the N7 is also pretty slow, so I found that building in the pbuilder, even though it runs inside a qemu, is much faster on my Core i5 + SSD.

In the steps below I’ve tried to call out the things you can do to reduce the disk space.

Building the traces

1. Setup the build environment

sudo apt­-get install libcairo2­dev lzma git

2. Grab the traces from git

git clone git://anongit.freedesktop.org/cairo­traces

3. (Optional) Remove unused files to save on disk space. Don’t do this if you plan on submitting changes back upstream.

cd cairo­traces
rm -­rf .git

4. Build the benchmarks, I used -j4 on my laptop and -j2 on the Nexus7. I didn’t really investigate the optimal value.

make -j4 benchmarks

5. The benchmark directory is now ready to use for traces. If you built it on a different system, you only need to copy over this directory. You can delete the lzma files if you want.

The traces you are pixman version specific, so if you have a Raring based system like the Nexus7, you can’t re-use them on a Precise based box.

Running cairo-perf-trace

1, Before you start, delete the ocitysmap trace from the benchmarks folder. It uses too much RAM and ended up locking up my N7.

2. If you are at the command line, connected via ssh for example, you need to set the display or it will segfault, simply run export DISPLAY=:0

3. Run the tool, I’d start first with a simple trace to make sure that everything is working.

CAIRO_TEST_TARGET=image cairo-­perf-­trace ­i3 ­r ./benchmark/gvim.trace > ~/result_image.txt

In that command above we did a few things, first we set the cairo backend. Image is a software renderer, you probably want to use xlib or xcb to test hardware. If you don’t set the CAIRO_TEST_TARGET it will try all the back-ends, this will take a long long time and I don’t recommend doing it. A simple way to get the tool to list them all is to set it to a bad value, for example

mfisch@caprica:~$ CAIRO_TEST_TARGET=mfisch cairo-perf-trace
Cannot find target 'mfisch'.
Known targets: script, xcb, xcb-window, xcb-window&, xcb-render-0.0, xcb-fallback, xlib, xlib-window, xlib-render-0_0, xlib-fallback, image, image16, recording

The next argument, -i3 tells it to run 3 iterations, this gives us a good set of data to work with. -r asks for raw output, which is literally just the amount of time the trace took to run. Finally ./benchmark/gvim.trace shows which trace to run. You can pass in a directory here and it will run them all, but I’d recommend trying that just one until you know that it’s working. When you’re running a long set of traces doing a tail -f on the result file can help assure you that it’s working without placing too heavy of a load on the system. The hardware backend runs took almost all day to finish, so you should always be plugged into a power source when doing this.

The output should look something like this:
[ # ] backend.content test-size ticks-per-ms time(ticks) ...
[*] xlib.rgba chromium-tabs.0 1e+06 1962036000 1948712000 1938894000

Making Pretty Graphs

Once you have some traces you can make charts with cairo-perf-chart. This undocumented tool has several options which I determined by reading the code. I did send a patch to add a usage() statement to this tool, but nobody has accepted it yet. First, the basic usage, then the options:

cairo-perf-chart nexus7_fbdev_xlib.txt nexus7_tegra3_xlib.txt

cairo-perf-chart will build two charts with that command, one will be an absolute chart, on that chart, larger bars indicate worse performance. The second chart, the relative chart takes the first argument as the baseline and compares the rest of the results files against it. On the relative chart, a number below the zero line indicates that the results are slower than the baseline (which is the first argument to cairo-perf-chart.

Now a quick note about the useful arguments. cairo-perf-chart can take as many results files as you want to supply it when building graphs, if you’d like to compare more than two files. If you want to resize the chart, just pass –width= and –height=, defaults are 640×480. Another useful option is –html which generates an HTML comparison chart from the data. The only issue with this option is that you manually need to make a table header and stick it in to a basic HTML document.

Some Interesting Results

Now some results from the Nexus7 and they are actually pretty interesting. I compared the system with and without the tegra3 drivers enabled. Actually I just plain uninstalled the tegra3 drivers to get some numbers with fbdev. My first run used the image backend, pure software rendering. As expected the numbers are almost identical, since the software rendering is just using the same CPU+NEON.

Absolute Results – Tegra3 vs fbdev drivers, image (software) backend

Relative Results – Tegra3 vs fbdev drivers, image (software) backend

The second set of results are more interesting. I switched to the xlib backend so we would get hardware rendering. With the tegra3 driver enabled we should expect a massive performance gain, right?

Absolute Results – Tegra3 vs fbdev drivers, xlib backend

Relative Results – Tegra3 vs fbdev drivers, xlib backend

So as it turns out the tegra3 is actually way slower than fbdev and I don’t know why. I think that this could be for a variety of reasons, such as unoptimized 2d driver code or hardware (CPU+NEON vs Tegra3 GPU).

Now that we have a method for gathering data, perhaps we can solve that mystery?

If you want to know more about the benchmarks or see some more analysis, you should read this great post which is where I found out most of the info on running the tools. If you want to know more background about the cairo-perf trace tools you might want to read this excellent blog post.

I have recently been doing some work with Qt and DBus and I got stuck a little on how to correctly send a {sv} over DBus. Either my google-fu is terrible or there are not many examples on how to do this, therefore here is a small static method that will return a {sv} that can be send via DBus without getting a wrong parameters error:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

 
#ifndef DBUS_HELPER_H
#define DBUS_HELPER_H
 
#include 
#include 
#include 
#include 
 
typedef QHash DBusStringHash;
class DBusHelper : public QObject
{
    Q_OBJECT
public:
    static int DBUS_STRING_MAP_ID;
 
    explicit DBusHelper(QObject *parent = 0);
 
    static class _init
    {
        public:
            _init()
            {
                // diff actions to init
                qRegisterMetaType("DBusStringHash");
                qDBusRegisterMetaType();
                DBUS_STRING_MAP_ID = QMetaType::type("DBusStringHash");
            }
    } _initializer;
 
    static QVariant getVariant(DBusStringHash hash);
 
};
 
Q_DECLARE_METATYPE(DBusStringHash)
#endif // DBUS_HELPER_H

1
2
3
4
5
6
7
8
9
10
11
12
13

// required for the init
int DBusHelper::DBUS_STRING_MAP_ID = 0;
DBusHelper::_init DBusHelper::_initializer;
 
DBusHelper::DBusHelper(QObject *parent) :
    QObject(parent)
{
}
 
QVariant DBusHelper::getVariant(DBusStringHash hash)
{
    return QVariant(DBUS_STRING_MAP_ID, &hash);
}

I added the init trick so that there is no need to manually register the types. I hope it helps!

Announcing new 12.04.1 and 12.10 Image availability

We are pleased to announce the immediate availability of the latest 12.04.1 (Precise Pangolin) and 12.10 (Quantal Quetzal) Cloud Images on Windows Azure. These images are named:

• 12.04.1: Ubuntu-12_04_1-LTS-amd64-20121218-en-us-30GB
• 12.10: Ubuntu-12_10-amd64-20121218-1-en-us-30GB

Please note, that due to the way that Windows Azure Gallery works, we will not be able to maintain older images on the gallery. As new images become available, we will be expiring old images. If you need a specific version/serial of a Ubuntu Cloud Image, we strongly suggest that you snapshot and use that version.
Action required: Updates for Existing Images

ACTION REQUIRED: Update existing 12.04.1 or 12.10 images

Over the last year, its been our pleasure to work with Microsoft to build the Ubuntu Cloud Images for Windows Azure. As the platform has matured, Microsoft had to introduce a few breaking changes that will require the attention of our users. These changes were introduced in the Virtualization layer of the platform and improve performance, and most importantly, stability. However, these changes require that users either use an updated image or update their existing images to support the changes.

To learn more about the changes that Microsoft has implemented, please see Microsoft’s announcement.

All Ubuntu users who have instances running on Windows Azure need to make sure that they take action BEFORE January 20,2013 (else, they might find the Mayan prophecy 30 days late, as far as their instances are concerned).

If, however, you want to update existing images, then we present to you, utlemming’s tl;dr update guide (or you can use Microsoft’s guide, which does the same stuff, just with more explicit commands).

utlemming’s tl;dr update guide

From a Ubuntu perspective the changes required for 12.04 and 12.10 are:

• CHANGE the current archive mirrors to the on-site Azure mirrors. Canonical has worked to build fast and stable regional mirrors which are co-located in each Azure region. To reduce your bandwidth costs and improve the experience of installing software, all users should update to the new mirrors.
• CHANGE bootloader configuration to include kernel parameters of “rootdelay=300 console=ttyS0″
• ADD hv-kvp-daemon-init, which facilitates the start of the hv-kvp-daemon and supporting scripts. The hv-kvp-daemon handles hyper-visor-to-Ubuntu communication channels.
• ADD linux-backports-hv-{precise,quantal}-virtual (lbm module). The lbm module backports the 3.7 HV stack to support new hypervisor features, as well as increase performance and stability.
• UPDATE walinuxagent to version 1.2. Microsoft has introduced some bug fixes to the way that provisioning of Linux images work. This updated agent will reduce provisioning failures.

Update Ubuntu 12.04 and 12.04.1

For those running 12.04 and 12.04.1, the following steps are needed to fully update Ubuntu to Windows Azure compatibility:

1. sudo sed -i “s,archive.ubuntu.com,azure.archive.ubuntu.com,g” /etc/apt/sources.list
2. sudo apt-add-repository ‘http://archive.canonical.com/ubuntu precise-backports main’
3. sudo apt-get update
4. sudo apt-get install hv-kvp-daemon-init walinuxagent linux-backports-modules-hv-precise-virtual
5. (recommended) sudo apt-get dist-upgrade
6. sudo reboot

Update Ubuntu 12.10

For those running 12.10, the following steps are needed to fully update Ubuntu to Windows Azure compatibility:

1. sudo sed -i “s,archive.ubuntu.com,azure.archive.ubuntu.com,g” /etc/apt/sources.list
2. sudo apt-add-repository ‘http://archive.canonical.com/ubuntu quantal-backports main’
3. sudo apt-get update
4. sudo apt-get install hv-kvp-daemon-init walinuxagent linux-backports-modules-hv-precise-virtual
5. (recommended) sudo apt-get dist-upgrade
6. sudo reboot

Update the Boot Loader Configuration

Ubuntu instances running on Windows Azure need to be configured for a long root delay (how long will Ubuntu wait for the root device to appear) and to output kernel messages to the serial console.

Edit /etc/default/grub and make sure that the GRUB_CMDLINE_LINUX_DEFAULT has “console=ttyS0 rootdelay=300” in it. For example:

GRUB_CMDLINE_LINUX_DEFAULT="console=ttyS0 rootdelay=300”


Then run the following:

1. sudo update-grub
2. (optional) sudo reboot

Bring-your-own-Ubuntu (BYOU)

Obviously, we would love for you to use the images that Canonical builds. After all, we have a team that has put in countless hours building, perfecting and QA’ing. But, if for some reason you can’t, then can we suggest that you start with our base images? You can find them here:

• 12.04.1: http://cloud-images.ubuntu.com/azure/precise/20121218/
• 12.10: http://cloud-images.ubuntu.com/azure/quantal/20121218/

These VHD files are the exact base-bits that have been uploaded and registered in the Windows Azure environment. Even better, these are based on the 20121218 Amazon AWS EC2 official images with the same package version and set (except there are a few more packages to support Windows Azure).

TIP: If you use the VHD files for BYOU, cloud-init is installed. Cloud-init is the magic sauce in the Ubuntu Cloud Images that gives each instance of Ubuntu running in the cloud a personaility; for Windows Azure, Cloud-Init and WALinuxAgent work side-by-side to offer the best Ubuntu experience. We have configured cloud-init for NoDataSource, which means that it will look for user-data in /var/lib/cloud/seed/nocloud-net/user-data. Simply drop your user-data script in there, and at boot time, it will be run. Also, you can edit /etc/cloud/cloud.cfg as well to use different mirrors, add SSH keys, etc. You can read more about cloud-init here: https://help.ubuntu.com/community/CloudInit

For the adventurous that like to spin their own bits, please make sure that you have the following packages installed.

• hv-kvp-daemon-init: handles hypervisor communication with Ubuntu
• walinuxagent: Windows Azure Linux provisioning agent and Azure fabric registration agent
• A kernel based on 3.7 or backports of the HV stack Ubuntu 13.04 kernels support the HV stack normally.
• Install the linux-tools-common package.
• 12.04 and 12.10 Ubuntu kernels will need the linux-backports-hv-{precise,quantal}-virtual package installed. This package is a complete backport of the _entire_ HV stack from Ubuntu 13.04.
• Set /etc/apt/sources.list to use the in-Azure (http://azure.archive.ubuntu.com), which will use the speedy mirrors in Ubuntu. WARNING: these mirrors are dreadfully slow outside Azure.

Follow the Windows Azure recommendations for publication.

NOTE: It is very hard to generate a VHD file that is compatible with Windows Azure using open-source tools without playing a very annoying and disk-space intensive dance. For this reason we strongly recommend using the VHD files above, or using the in-Azure images and taking a snapshot.

Special thanks

The Ubuntu Cloud Image team recognizes that the success on Windows Azure would not be possible if not for the amazing help and special talents of Adam Conrad (infinity), Andy Whitcroft (apw) and the QA and Certification staff, as well as our fine colleges at Microsoft.

We are delighted to announce that, as of Friday, we have new Azure mirrors online. These new mirrors use a single URL:

http://azure.archive.ubuntu.com

To use these new mirrors, simply replace your existing mirrors with the one above.

Summary: Makyo: the GUI can break the charm bcsaller: Write user stories as functional tests: improv plus Selenium bcsaller: card velocity improving gary_poster: run the tests before landing, or, we are not as good as an automatic tester gary_poster: teknico is "documentation daddy" bcsaller and Makyo: proliferation of ENV=1 make [target] rules goodspud: what do we do with the juju-gui charm in