Tumblelog by Soup.io
Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.

October 06 2019

October 03 2019

Who Dares Wins by Dominic Sandbrook Ade is on page 57 of 864 of <a href="/book/show/43389716-who-dares-wins">Who Dares Wins</a>.
Ade wrote: Initial thought: the two previous hardback tomes in this series had fairly classy-looking covers. This one...doesn't. Although it conveys "sustained jingoistic nightmare" quite well.

You'll do well to get through the first chapter on Mrs T without feeling faintly queasy. It's even-handed but even so, there's more praise in there than many would feel she deserved.

October 02 2019

Nairns Towns by Ian Nairn Ade gave 2 stars to Nairns Towns (Paperback) by Ian Nairn
Meh. Ian Nairn blows into a town, sprays the place copiously with adjectives, then leaves. What are these places like to live in, how do the buildings function? He doesn't ask anyone who lives there; that isn't considered. Even as historical record, it fails to convey much useful detail. Also, like his mentor Pevsner, there's an obsessive focus on ecclesiastical architecture. If a town has two dozen churches and half a dozen notable secular buildings, after a brief skim over the latter you can be sure you'll read about every single f**king church in detail - witness the Marylebone chapter, which is obviously the best place because it's in London and all the best people live there. (It makes me think I'd rather claw my own eyes out than go on to read "Nairn's London".)

Unless you can make sense of cryptic remarks such as "the old rhythms have been caught and effortlessly translated" or "queer things happen in the transepts [like WHAT?], and the inside of the tower, looking up, brings to mind Baalbek rather than Bayeux" - or are actually standing before the architecture in question while reading - I'd avoid it. It's a lot of verbiage to very little descriptive end. Owen Hatherley, whose waspish addenda to each chapter are probably the highlights, lauds Nairn for the quality of his writing, but I'm afraid it left me mostly nonplussed. One star added for the design of this reprinted edition, which is exemplary.

September 21 2019

September 20 2019

Nairns Towns by Ian Nairn Ade started reading Nairns Towns by Ian Nairn

September 19 2019

September 18 2019

Nairns Towns by Ian Nairn Ade wants to read Nairns Towns by Ian Nairn
Portmeirion by Jools Holland Ade gave 4 stars to Portmeirion (Hardcover) by Jools Holland

September 14 2019

Ade made a comment in the Postwar British history group:

The next volume of Dominic Sandbrook's post-war histories is out on 26th Sept, entitled Who Dares Wins: Britain, 1979-1982. I'm aware that Sandbrook's stock has sunk somewhat lately among the Twitterati (writing Daily Mail fluff pieces praising Thatcher's achievements will do that for you) but I'll likely be buying this one on release, particularly if I can find a good discount (full RRP looks swingeing, although I guess he's been working on it for years now and it's probably the size of a couple of housebricks).

Bit disappointed that it only covers such a limited period; the same short duration was the main limiting aspect of Andy Beckett's Promised You a Miracle: UK80-82, which I have no doubt will form one of the major sources for this book. But still, something new to read at last after a lean few years for this topic.

September 10 2019

Secure boot with Cobbler

It doesn’t appear to be much discussed but you can perform secure boot of UEFI clients from a Cobbler build server. We managed it recently, under pain of needing to install Ubuntu on 400 Dell laptops before an imminent start-of-term deadline, and with only a modicum of dirty hacks.

<!-- more -->

I’m not claiming to be an expert on how Secure Boot works (all my knowledge was gained on a JIT basis), but my understanding of it thus far is contained within the following:

  • Secure Boot only generally works on UEFI firmware.
  • UEFI supports PXE network booting the same as BIOS, although you might have to explicitly enable it first in Setup, so Cobbler compatibility isn’t generally an issue (but see below). You will need to use an EFI-compliant boot loader though (i.e. GRUB), rather than PXELINUX .
  • Secure Boot firmware requires all the binaries it loads (i.e. the boot loader and initial OS bootstrap files) to be cryptographically signed and checksummed by a trusted key.
  • The default keys in most UEFI images belong to Microsoft, so the boot loader at least must be signed by a Microsoft key.
  • The firmware will also import and trust keys that have been signed by a Microsoft key. Hence the approach for booting a Linux-based OS is to first load a shim file which is verified by MS and signed with one of their trusted keys. This in turn provides a distro-specific CA key, which has been used to sign the further stages of the boot process (GRUB loader, kernel, initial ram disk, etc.). The implication of this is that the shim, loader, kernel and ram disk files must all come from the same distribution. Under the standard non-secure client boot, Cobbler relies on a common GRUB loader to boot any supported distro kernel. This won’t work with secure boot; you need to use the shim and loader file specific to the vendor and OS distribution you’re booting. This has implications if you’re using Cobbler for DHCP management, as the DHCP template in Cobbler serves a generic EFI boot loader by default, so either you hack the template to differentiate secure boot clients some way or you stick with secure booting only one supported OS flavour.
  • Only GRUB2 supports secure boot. I don’t believe Cobbler currently supports GRUB2, in terms of generating the correct configuration files (there is a merged PR but it isn’t in a release yet), but it can be hacked to do so as we’ve done here.
  • GRUB as utilised by Cobbler relies on the GRUB loader searching for a client-specific configuration file named after the MAC address, e.g. something like 01-00-50-DE-AD-BE-EF. Unfortunately, it turns out that this behaviour was added to GRUB by Red Hat in a downstream patch and is specific to their version. Remember I said you have to use the distro-specific GRUB loader signed with the same key as everything else? So yep, this won’t work for non-EL distros. Instead, we’ll need to load a common grub.cfg configuration file that then sources a second configuration named after the client MAC address. (Needless to say, the MAC address format used by Red Hat’s GRUB and thus generated by Cobbler differs from the one returned in the standard GRUB2 client variables. Hack, hack.)
    Also, we discovered that some of the typical GRUB2 loadable modules (such as regexp) are blacklisted in a secure boot environment, which further limits the kind of manipulations you can perform within the config.
  • IMPORTANT: Secure boot also means that any third party kernel modules - such as, say, the proprietary NVIDIA driver - must also be signed with a trusted key. As an end user can’t use the distro key to do this, DKMS typically generates a new Machine Owner Key (MOK) at install time using mokutil. It then prompts you interactively for a password, which must be entered on the next boot to confirm import of the new key into the firmware database so that the driver will be authenticated to load. As far as I can tell, this process cannot be automated, at least via Ansible (doubtless you could build a custom integrated distro instead but…). Despite all our effort to make Secure Boot work, this caught us out in the end and resulted in us disabling it on each client. But up until that point, it worked so I’m providing the recipe here for anyone with more modest requirements.

In our case, PXE client configuration is a little simpler or at least less of a concern as we use external DHCP servers and configure the client boot parameters such as the initial filename separately. (If you’re using Cobbler for DHCP: sorry, you’re on your own but see the notes above.) As mentioned, our specific use case was to boot Ubuntu Bionic 18.04 LTS on Dell 5490 laptops from a CentOS 7 host running the cobbler-2.8.4-4 package from EPEL. In the end, we used the method suggested by this Russian blog post (Google translation - don’t copy the shell source from this link as it will be corrupted). The post suggests adding a Cobbler post-sync trigger script to create the required GRUB configurations with the correct filenames by copying and renaming the ones generated by Cobbler. However, in our case we also need to convert the GRUB-legacy configurations to GRUB2 syntax and reformat the client MAC addresses to be compatible with that used in the GRUB2 $net_default_mac variable, which is colon- rather than hyphen-separated. The revised configurations are written to a uefi/ subdirectory under the TFTP boot folder, along with a default (initial) config that simply sources the appropriate client MAC-specific file.

Step-by-step then, here’s what to do:

  1. Ensure your distro signatures are up to date in Cobbler.
  2. Import the Ubuntu server edition ISO into Cobbler (don’t use a live image, it won’t work) and set up a boot profile and client systems as normal. Cobbler includes an example Debian preseed file called sample.seed (and good luck with it because the syntax isn’t well documented).
  3. On the Cobbler server, create the directory /var/lib/tftpboot/uefi/.
  4. From an existing installed Ubuntu system, ensure the packages shim-signed and grub-efi-amd64-signed are installed and copy the files /usr/lib/shim/shim64.efi and /usr/lib/grub/x86_64-efi-signed/grubnetx64.efi. Copy them to the uefi/ folder above, renaming as shim64.efi and grubx64.efi respectively.
  5. Download this Cobbler post-sync trigger script, make it executable and place it in /var/lib/cobbler/triggers/sync/post/uefi.sh.
  6. Configure the DHCP PXE settings for your Ubuntu client to boot from the Cobbler host as the TFTP server using the filename uefi/shimx64.efi. As I noted above, if you’re using Cobbler as the DHCP server, this may require a bit more hacking of /etc/cobbler/dhcp.template.
  7. Run cobbler sync and check the generated files under /var/lib/tftpboot/uefi/.

(With thanks to all the authors of the various blog, forum and GitHub posts I googled to figure all this out.)

September 09 2019

How To Build A Boat by Jonathan Gornall Ade is starting <a href="/book/show/45310359-how-to-build-a-boat">How To Build A Boat</a>.
Ade wrote: Just a warning for anyone embarking on this: no wood actually gets cut until chapter 10. Up to then, there's a lot of dreaming sentiment about the nobility of the tradition, the history of the craft and one anecdote about a log boat whose near-irrelevance almost caused me to toss the book. One might suspect this is all a displacement activity and that's probably only right, as it reflects this type of venture.

September 07 2019

September 03 2019

Outsider II by Brian Sewell Ade gave 4 stars to Outsider II: Always Almost: Never Quite (Hardcover) by Brian Sewell
Endlessly gossipy and waspish, though no doubt many of those slighted by Sewell would have tales of their own to tell in retaliation. Mostly rather dismissive or despairing of any changes in his world after about 1969, and (one suspects justifiably) often outright contemptuous of those working in the media, especially broadcast television. Along with all that, he's positively priapic until age and health curtail his energies, if not the urges that drive them. Some of the art discussion will only make sense to connoisseurs, but this barely detracts from the flow.

At one point, he reveals that he believes his real father to be the composer and critic Philip Heseltine, aka Peter Warlock, who was found dead from coal gas poisoning in what was commonly assumed to be a deliberate act. This rang a bell so I looked him up, and indeed he was the model for the character Maclintick in Anthony Powell's A Dance To The Music Of Time. Sewell himself could easily have appeared in a cameo in that series had his lifespan overlapped more closely with Powell's.

August 29 2019

Shelley's Boat by Julian Roach Ade gave 5 stars to Shelley's Boat (Paperback) by Julian Roach
Percy Bysshe Shelley loved boats and particularly the boat (or schooner or ketch as it may be) he had made in Italy, but you don't have to read far between the lines here to understand that he was a bloody useless sailor. Nor were his ostensibly more experienced companions much better in this regard, torpedoed - so to speak - by respectively an overweening sense of superiority and a profound lack of care. It would perhaps be more accurate to say he loved the idea of sailing and was less concerned with the practicalities, such as the tiller in one hand compared to whatever book he happened to have in his other hand at the time. This book is called "Shelley's Boat" but it might equally well be titled "Anatomy of a Literary and Maritime Disaster".

Julian Roach does an excellent job of setting the scene, filling in the background context of Shelley's life, achievements, rare genius and accompanying character flaws up to this period, fleshing out the supporting cast, including Byron, the long-suffering Mary Shelley, and his companion in sailing and eventually drowning, the aforementioned supremely overconfident Edward Williams, and analysing at length the various causes, theoretical and reported, of the inevitable tragedy. True, there is a moderate amount of nautical discussion, some of which may strike landlubbers as speculative rambling that is besides the point, but it's easy enough to skate over without spoiling the experience. And besides, you might otherwise miss the absorbing explanation of the Maunder Minimum and Dalton Minimum, and the fortuitous impact of the former on the quality of Stradivarius instruments.

A quick, easy read with an intriguing premise that ultimately doesn't disappoint in either the telling or the appreciation it leaves of Shelley's legacy. Or, for that matter, the importance of good seamanship.

August 28 2019

Nash Point Lighthouse
Older posts are this way If this message doesn't go away, click anywhere on the page to continue loading posts.
Could not load more posts
Maybe Soup is currently being updated? I'll try again automatically in a few seconds...
Just a second, loading more posts...
You've reached the end.

Don't be the product, buy the product!