Somehow lately I have been in numerous discussions about programming languages, and which language is interesting, better, etc. The only consensus, is that there is no consensus. Different people choose different programming languages, and most of the time there are quite opinionated about them. (I do have my personal preferences, which I express them quite vividly ;)). However, there is another point that most people also agree:

If you are a programmer, you can learn and use any language.

I can easily agree with that. If someone knows the basic stuff of programming, and has learned the required discipline, the basic data structures and most important a certain way of thinking, then if it is much easier and faster to learn a new programming language. A programmer also has a large corpus of problems that he already well understands and can use them as playground in order to acquire the nuisances of the new language. It can be more hard if you learn also a new  programming paradigm, but even in this case the odds are much better.

However, the fallacy arrives from the distortion of the above sentence. A lot of people use this sentence in the following way:

You are already a good programmer, so I am sure it will be really easy for you to pick <<insert your worst possible language>> very fast and write code in it.

I regard this as a fallacy,because people mix ability with will. Pardon the improper wording but it sounds like the equivalent of : “You are a guy, I am sure you can have sex with any girl”. The reason that I do have the required skills (equipment in this case) to do something, does not mean that I want to do it. Of course, if I am forced I can certainly do it, but it will be bad performance, miserable, and in the end probably will leave a really bad feeling (sometimes even an trauma).   The reason people fall into this fallacy, is that they do not regard programming as an art, but as a mundane pressing of buttons that produces something useful after a proper level of coffee.

I do regard programming as a form of art, close to writing a prose (with more strict rules). It is not just the solving of a well formed mathematical problem (in many cases), but also a form of expression. This differentiates beautiful code, from ugly one. There is even research that shows programming in the brain activates more the language centers than the mathematical ones (for example here : but I have not looked exhaustively into it).  So different programming languages matter because they are the tools of our expression (like a painter uses different types of brushes). These are very important tools, because as we shape our tools, the tools shape us back. I have seen very few people who are indifferent on the programming language they use, but even in this case most of them have quite strong preferences, but also quite tolerant on what they would use. Each person has different level of tolerance on different things, but it not always wise to test them. 😉



May 6, 2015

The title is Yet Another Article On SSH VPN, so this is used as a personal note keeping for creating a SSH VPN using a manual method.

We assume that we have the running OpenBSD with ip and the running Linux with ip The tun that we will create will use the IPs on the server side and on the client side.

  • Enable the support on server side. Put in /etc/ssh/sshd_config:
    PermitTunnel yes

    Also in this case point-to-point will be enough.

  • Client side:
    client# ip tuntap add dev tun0 mode tun
    client# ifconfig tun0 pointopoint
  • Server side:
    server# ifconfig tun0 create
    server# ifconfing tun0
  • For the final ssh:
    client$ ssh -w 0:0

Since in both machines we use the tun0 interface on the -w option we use the 0:0. If the server was using tun1 then the option whould be -w 0:1.
Then we need the relevant route commands to make the traffic flow this ssh vpn tunnel.

Linux T440s lid script

April 11, 2014

I wouldn’t like to start talking about the sorry state about the Linux Power Management in laptops, because the whole situation is at least disappointing.  (Having digged the situation only a little bit, power management is done by systemd-logind, acpid, and pm-utils, and the way all these interact if you add laptop-mode is not clear at all).  I use my new T440s either as is, or as “desktop” replacement using external monitor, keyboard and mouse. In the second case when I “docked” and connected the peripherals, I didn’t want by closing the lid to activate screensaver, or suspending the system, on the other hand, whenever I was using the laptop undocked, when I closed the lid I wanted to be put in sleep mode. After having fiddled a little bit with the configuration I thought that the best way was to create the following script which I put in /etc/acpi/local/


# This script affects the way lid behaves. The logic is described
# If the laptop is connected to an external display 
#   If we have a display in the active displays that is not the built in
#       unset everything (do nothing)
# else
#	don't touch anything

#getting the outputs
for x in $d/X*; do
    if [ x$XAUTHORITY != x ]; then
       export DISPLAY=:$displaynum
       connectedOutputs=$(su $XUSER -s /bin/sh -c "xrandr" | grep " connected" | sed -e "s/\([A-Z0-9]\+\) connected.*/\1/")
       activeOutput=$(su $XUSER -s /bin/sh -c "xrandr" | grep -e " connected [^(]" | sed -e "s/\([A-Z0-9]\+\) connected.*/\1/") 
       connected=$(echo $connectedOutputs | wc -w)

#if we have one display do nothing
if [ $connected -gt 1 ]
	for display in $activeOutput
		if [ x$display != x$XRANDR_OUTPUT ] 

This scipt is called by /etc/acpi/ which in turn is called when an lid event is received which is defined in /etc/acpi/events/lidbtn

In one of the projects we had a number of virtual machines that were servicing the same content. The content was duplicated in each of them in the local filesystem. The storage space that was used for the VM infrastructure was getting full, therefore we were asked politely from the VM infrastructure provider if we could do something about it.

The first step was easily decided and we set up a VM that had all the content and was sharing it through NFS with the other web servers. The next part was to resize the disks of the VMs so that the exceeded space could be free. One of the possible ways was to attach a second disk, transfer everything there, change the configuration for the VM and it should work. However, this sounded a good idea to try a few things with LVM. This is a small step by step guide on how to do it.

Read the rest of this entry »

Let’s not have the argument whether tomcat should be run as standalone (with tcnative and APR) or with a web server in the front that proxies the requests back to tomcat, but let’s assume that we have the case of tomcat native.
In this case one issue that comes up regularly when tomcat is also configured to do client certificate authentication is the CRL expiration. When the CRL expires tomcat refuses to do any more authentication and the application comes to a halt. Although this is not a bad thing to do per se (who would like to permit people to login if he is unable to have at least a rough estimate if one of the certificates has been revoked), the problem arises that there is no clean way of making tomcat reload the CRL if the old one expires. So in order to fix this problem a new patch for tcnative was created.
More information about the issues and the patch can be found in : link.

The important issue about this patch to me, is that the patch was created without having a test system and debugging was done by code inspection. The test system, and the debugging process where needed afterwards when another issue come up that had to do with the OCSP patch integration to tomcat. ( double apr_poll_destroy()). I was happy since it has been a while since I was able to develop anything without the use of a debugger, and the usual write-compile-debug procedure!

Selective port forwarding

September 18, 2012

A short post to document the solution that was used in a somehow reoccurring situation.
A colleague had a machine in the internal network that he wanted to provide access to someone outside our network. Lets assume that the IP of the internal machine is and the external IP of the other person is yyy.yyy.yyy.yyy.
The solution was to use his machine as a gateway and with port forwarding. The interesting part is what happens if we want to forward a port that a service already listens to. It his case the solution is easily done using iptables, using the following script:

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -j DNAT -p tcp -s yyy.yyy.yyy.yyy --dport pp --to-destination
iptables -t nat -A POSTROUTING -p tcp -s -j MASQUERADE
iptables -t nat -A POSTROUTING -p tcp -d -j MASQUERADE

In case the default policy for PREROUTING is DROP another rule is needed:

iptables -t nat -A PREROUTING -p tcp --dport pp -j ACCEPT

This way the machine with IP yyy.yyy.yyy.yyy can access the service in the internal machine, whereas the all the other machines will just use the service that runs in the local machine.

I can think a number of usages of this case. It can be done in order to provide a small authentication daemon on that same port, that when someone authenticates he can be added to the port forward chain, or a small service that bans IPs that try to connect to this service if they are not explicitly permitted

Following this post what was left was my discomfort that cisco didn’t provide a way to log the commands send to the switch using radius accounting, but one had to use only tacacs+. As I have written there:

In the accounting section Cisco unfortunately (READ: WHY DEAR GOD, WHY??) doesn’t support sending each command a user types to RADIUS, but only for TACACS+, so the accounting part is at least handicapped.

So I was looking for a solution to the Internet. I didn’t find anything that could just fit it so I try to code my own version.
Read the rest of this entry »