What’s New

• Nightly build – changeset: 25821:0e772546d16b
• Portable edition has been also provided since now. It will create a profile folder “Firefox (Profile)” if needed.
• Use P2 If in doubt
• Firefox 3.5 is based on the Gecko 1.9.1 rendering platform, which has been under development for the past 9 months. Firefox 3.5 is an incremental release on the previous version with significant changes to improve web compatibility, performance, and ease of use
• Improved tools for controlling your private data, including a Private Browsing Mode
• Improved performance and stability with the new TraceMonkey JavaScript engine.
• Support for native JSON, and web worker threads
• Reduce memory usage by using jemalloc
• Speed improvement by using Profile-Guided Optimization (PGO)

Firefox 3.5pre community edition en_US (20090601)

• [FX] P3 build, Portable edition (9.1 MB)
• [FX] P2 build, Portable edition (9.1 MB)
• [FX] P1 build, Portable edition (9.1 MB)

• my tweaks profile patch
• Adobe Flash Player 10.0.22.87 (Test flash version)
• Windows Media Player Firefox Plugin 1.0.0.8 (MozillaZine Knowledge Base)
• Reduce memory usage by using jemalloc
• Speed improvement by using Profile-Guided Optimization (PGO)
• Support Mozilla Update Channel since Firefox 2.0.0.6
• Used branding artwork by JairoB
• P1/P2/P3 all build with VC9
• P1 build build with -Ox -GLAs -fp:fast -GS-, for Generic CPU
• P2 build build with -Ox -GLAs arch:SSE -fp:fast -GS-, for Athlon XP, Duron 1.1 GHz+, Pentium III ,Celeron 500+
• P3 build build with -Ox -GLAs arch:SSE2 -fp:fast -GS-, for AMD Athlon 64, AMD Sempron, Pentium D, Pentium M, Pentium 4, Celeron 1.7 GHz+ and other new CPU.

Popularity: 10% [?]

I’m using bash-completion-20081219-r1 currently. When I type vim and hit <tab> for the bash completion, it gives an error:

However, I only enable “vim” and “mercurial” module for the bash completion:

So I check global setting by adding –global argument:

That shows my system is only enabling “gentoo” module.

The reason is the _filedir function is defined in the “base” module for bash completion but it is not enabled by default. The “vim” module calls _filedir which is undefined so that it leads to the error.

The solution is enabling “base” module as well:

Of course, enables “base” module globally:

Popularity: 11% [?]

前一陣子上班時, Samuel 跑過來問:

“咦? 你們之前寫某個 Server 的時候, 怎麼讓程式自己產生 Core dump 啊?”

“那幫我看一下為啥我照著那樣寫不會動..”

沒想到就開始了殘酷的惡夢~ 讓我們花費了不少工夫才發現為甚麼.

在 Linux 上, 預設是不會有 Core dump 的, 而要讓程式產生 Core dump 的方法就是利用 bash built-in 的 ulimit 指令. 我去年這篇 How to enlarge Coredump Size and File Descriptor Limitations 剛好也有寫到.

不過意外常常有, 所以除了讓 System administrator 設 ulimit -c unlimited 之外, 我自己也會在程式裡面利用 setrlimit(2) 這隻 system call, 讓程式在執行時, 能夠不管 administrator 有沒有用 ulimit 設定 Core dump size, 保證一定會產生 Core dump. 在程式 crash 的時候, Core dump 是很重要線索啊! 就像 CSI 一樣, 讓證據會說話.

可是在看完 Samuel 的程式時, 我和他兩個就覺得很奇怪, 應該是會 work 才對, 因為同樣的 code 寫的程式已經在 production server 上跑了一段時間, 應該不會有問題才對, 這時候, 我才猛然想起來, 管機器的 administrator 曾說過有時候 Core dump 不會出現. “God! 該不會就是同一個問題吧?”

和 Samuel 兩個人找完資料的答案, 就是寫這篇文章的動機了. 我們發現, 如果一個程式按照上面的方法都無法產生 Core dump, 那要看看這個程式是否是用了 setuid(2) 這個 System call. 我們發現, 一個 setuid(2) 或 seteuid(2) 過後的程式, 是沒有辦法產生 Core dump 的.

好巧不巧, 通常 Server 為了一些安全性的考量, 也會實作 setuid(2) 或 seteuid(2) 來達到 Running with Least Privilege (相對應 Windows 的指令就是 Run As). 也就是說, setuid(2) 一定是不能略過的. 解決方法有兩種.

第一種是只有這個程式有效. 用的方法就是 prctl(2). 這個方法是可以改 source, 然後 rebuild 的狀況下才能用. Sample code 如下:

這種方法要注意的事情有:

• 一定要用 root 執行.
  setuid 然後讓一般 user 去執行的方法不行.
  (e.g. sudo chown root a.out; sudo chgrp root a.out; sudo chmod 4755 a.out)
• 因為 Core dump 產生的目錄和執行檔在同一個目錄下, 這個目錄的權限一定要是 root 這個 user, root 這個 group 同時都可以寫入才行. 要注意這個 case, 不要把 root 當成是 super-user, 而是要當作 regular user.
  比方說, (drwxrwxr-x, root root) 和 (drwxrwxrwx, nobody nogroup) 可以, 但是 (drwxr-xr-x root root) 和 (drwxrwxr-x root nogroup) 都不行. 很弔詭吧! 我也不知道為甚麼~

第二種方法是 system-wide 的, 也就是會影響到所有在系統執行的程式. 方法就是 /proc/sys/fs/suid_dumpable. 因為這個和 kernel 的版本有關, 請 man 5 proc 比較保險. 這是在無法動 source code, 而且原程式沒有用 prctl(2) 情況下的殺手鐧.

要注意的事情和第一種方法一樣, 把 /proc/sys/fs/suid_dumpable 設成 1 或 2 的差別, 是會決定 core dump file 的擁有者. 如果設成 1, 就會和第一種方法一樣是被 switch 的 owner (本例是 nobody). 如果設 2 就一定是 root, 但是這個似乎要 kernel 2.6.13 以上才有 support? 我不是很確定.

希望這篇文章給大家當作個參考囉!

PS: 這篇竟然寫了快二個周末, 真是夠久的~

Popularity: 34% [?]

今天更新 Gentoo Linux 時, 在 sudo emerge -uvDNat world 之後, 發現 php-5.2.3 升到 php-5.2.4_pre200708051230, 然後 expat-1.95.8 升到 expat-2.0.1, 當下暗暗感覺不妙, 果不其然, 升級完之後 apache 就不會動了, 比方說執行 sudo /etc/init.d/apache2 stop 時, 會出現:

果然, 因為 expat-1.95.8 的是編出來的 libexpat.so.0, expat-2.0.1 會編出 libexpat.so.1. 我試著 rebuild apache 結果也一樣不行.

正確答案要這樣:

就是把系統中, 會用到 libexpat 的套件都 rebuild 之後才會動. 給大家作個參考.

Popularity: 29% [?]

上個禮拜, Sun 終於拿出殺手級的 processor : UltraSPARC T2 (Niagara 2)!

除了把從 T1 的 32 threads per processor (8 cores, 4 threads/core), 加到 64 threads per processor (8 cores, 8 threads/core) 之外, 最令人在意的是 “Zero Cost” Security 這個 feature.

一般大家不作一些 security 保護的理由不外乎是速度慢, 尤其是在 web server 的 implementation, 作了之後對 throughput 影響非常明顯, 所以在 T2 中, 他們加了一個 cryptographic unit, 也就是說可以利用這個硬體來完成一些費時的 security function.

本來以為作了 DES, 3DES, AES, MD5, SHA-1 就了不起了, 但是在 2007/07/08 的新聞中, 聽到 Sun Staff Engineer Dr. Lawrence Spracklen 的 talk, T2 support 的有:

Public-key
• RSA
• DSA

Bulk Cipher
• RC4
• DES
• 3DES
• AES-128
• AES-192
• AES-256

Secure Hash
• MD5
• SHA-1
• SHA-256

後來在他的 blog (Lawrence Spracklen’s Blog) 中, 看到他寫的這篇 UltraSPARC T2 Crypto performance. 看起來還蠻不賴的啊~

接著我猜會有強者利用這些硬體作出 T2 的 SSL. 好期待測出來的數字啊~

PS: 這裡是用 UltraSPARC T1 CPU 的 T1000 和 T2000 的價錢, 不知道搭配 T2 的 Server 會賣多少錢 XD

Popularity: 18% [?]

When we write a network server program, I think lots of system calls have their own explicit parameters like socket(), bind(), accept(). But it’s very interesting when we use this system call listen(). Let’s see its prototype:

Yes, it’s very obvious that the first parameter is the socket fd. But, what’s the meaning of backlog number? Some body would tell us like manpage LISTEN(2) says: “The backlog parameter defines the maximum length the queue of pending connections may grow to. If a connection request arrives with the queue full the client may receive an error with an indication of ECONNREFUSED or, if the underlying protocol supports retransmission, the request may be ignored so that retries succeed.”

From a robust server’s perspective, what’s the maximum value it should be assign? At first, I assigned very large number like 1,024 (of course, listen system call still returns successfully). After saw the manpage LISTEN(2) in Linux, I was wrong..

It doesn’t mention kernel 2.6. But it’s fine. Let’s investigate into Linux kernel source code.

In Linux kernel 2.6.20.1, we can see the listen system call implementation in net/socket.c line 1306. As it shows, the maximum number of backlog cannot be large than sysctl_somaxconn, which is assigned to SOMAXCONN. Furthermore, SOMAXCONN is defined 128 in include/linux/socket.h line 226.

In my opinion, in Linux 2.0 to 2.6, this means backlog cannot exceed 128 by default, or it would be truncated to SOMAXCONN silently like the manpage says.

How about FreeBSD? We can see the note of manpage LISTEN(2) in FreeBSD 6:

I’m not very familiar with FreeBSD kernel, but let me try to trace. The start point is to check sys/kern/uipc_syscalls.c of cvstag RELENG_6 in FreeBSD. We can see listen system call will invoke solisten(so, uap->backlog, td). Thus, we go to sys/kern/uipc_socket.c now to see the implementation of solisten(struct socket *so, int backlog, struct thread *td). The same, the maximum value is somaxconn which is assigned to SOMAXCONN by default. Finally, we can see the value is defined in sys/sys/socket.h. The value is the same as Linux — 128.

To put it another way, if you’re writing a server program in either Linux or FreeBSD platform, it’s very appropriate to assign the value of backlog to 128. in FreeBSD, however, you can assign a negative backlog to request the maximum allowable value.

You may ask what’s the value of backlog in popular modern server? Let’s check the source of Apache HTTP Server. As you see in /server/listen.c, ap_listenbacklog is assigned to DEFAULT_LISTENBACKLOG which is defined 511 in /include/mpm_common.h.

Popularity: 33% [?]

According to Darryl Gove’s post yesterday, the UltraSPARC-T1 tuning guide has been updated to include information about the Cool Tools.

Popularity: 29% [?]