Hacker's ramblings

All the nerds like me (escpecially me!) love new versions of software.

Backup

I got new toys for my Parallels Plesk Panel box and went for the automated upgrade. I attempted to do the mandatory full backup first:

/usr/local/psa/bin/pleskbackup server \
 --output-file=/Backups/pre-12.0.18.backup.tar -v -v

... just to make sure, that I have something to roll back to if it hits the fan. But it kept failing on me. Any domains having PostgreSQL databases failed to backup properly. I got log entries like:

Failed to execute backup database
Failed to pack files backup_hqcs_blog_1407141359 in /dumps/domains/hqcodeshop.fi/databases/hqcs_blog [ 115057410048 bytes free of 158532106240 bytes total on mount point 0]

Totally puzzling. Didn't make any sense at all! Looking at the detailed XML-log of the backup revealed following:

<?xml version="1.0" encoding="UTF-8"?>

<object name="server" type="server">
    <object name="hqcodeshop.fi" type="domain" uuid="domain#hqcodeshop.fi">
        <object name="hqcs_blog" type="postgresql">
            <message id="e6d718ef-5b52-49af-8c4f-4473393b30bd" severity="error" code="msgtext">
                <description>Failed to execute backup database</description>
            </message>
            <message id="d5e6cfd1-fa94-45d4-89b6-a47a0627134a" severity="warning" code="msgtext">
                <description>sh: AB12: command not found
                    sh: AB12: command not found
                    sh: AB12: command not found
                    sh: AB12: command not found
                    sh: AB12: command not found
                    sh: AB12: command not found
                </description>
            </message>
        </object>
    </object>
</object>

What command not found!? After a few puzzling moments later I realized it, that is the end of my panel admin's password! In the original form the password was [lot of characters here]>AB12. Somebody at the Parallels goofed! What would happen if your password has special characters. What if some of those characters were special in your command prompt? Not very solid backup code, huh!

The next thing was to change the password to one not containing any of these characters £$<>()&;"'`, they have special meaning on *nix command prompt. I always use randomly generated passwords and during my quests I regularily bump into systems that do not sanitize user input properly. I find that the ones from the number keys with shift are especially nasty. During registration process it is very easy to input a proper random passwod, but the system botches something and don't let me log in, or does something nasty like Parallels Plesk did.

Unfortunately changing the admin password didn't make the backup succeed! Apparently PostgreSQL password is stored somewhere else. I did do a:

/usr/local/psa/bin/admin --show-password

... to confirm, that system knows what the new password was. The thing is, that PostgreSQL password needs to be changed manually. I found the knowledge base article about that KB 120262 - How to update password for PostgreSQL admin user in Plesk? Running:

# plesk bin database-server --update-server localhost:5432 \
 -type postgresql \
-passwd `/usr/local/psa/bin/admin --show-password`
SUCCESS: Server localhost:5432 is successfully updated.

... did solve it. Then I managed to get backups.

Upgrade

There were no issues during upgrade. The web-upgrader took a while and then it said everything was done. There really was nothing special about this part.

During my checkings I found a really good knowledge base article about system settings. This is something that Parallels didn't have for previous versions. This is really good stuff: Parallels Plesk Panel for Linux services logs and configuration files. I kept going back to that one a lot.

Testing

When the new version was running, I naturally wanted to see that all my services were running properly. Things I found to be broken were POP3 and IMAP SSL-certificates. Also the Presence Builder didn't upgrade properly.

The funny thing about Courier IMAP/POP3 was, that upgrade reset my certificate settings back to something really stupid. I went to /etc/courier-imap/ to check the imapd-ssl and pop3d-ssl. I changed both of them to contain:

TLS_PROTOCOL=TLS1

That was done to reflect the setting I have in my /etc/postfix/main.cf:

smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3

My policy is, that if you're running something that does not support TLSv1, v1.1 nor v1.2 then you should use somebody else's services. It simply is insane to rely on SSL!

The Web Presence Builder said this on startup:

File: /usr/local/sb/include/Base/ORM/Object.php; Line: 249
Message: Undefined property "controlPanelLink" in object "SB_ORM_TokenAccess".; Code: 0

Luckily, that issue is covered by knowledge base article KB 119875: Cannot open a site in Web Presence Builder: "Undefined property "controlPanelLink" in object "SB_ORM_TokenAccess". A simple SQL-command:

ALTER TABLE `token_access` ADD `control_panel_link` VARCHAR( 255 ) NULL DEFAULT '' AFTER `skin_code`;

did do the fix.

Life after the upgrade

My system has been running as usual. There hasn't been any complaints from the users or I have not encountered anything else that didn't work.

Something funny happened to my Arch Linux, it changed the IPv6 address rather surprisingly. When I failed to SSH into it, I went to the console.

On none of my machines I have the RFC 4941 privacy extensions enabled. The first thing to do was to confirm, that the IP-address was not based on my Ethernet Address:

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:54:00:cf:1c:36 brd ff:ff:ff:ff:ff:ff
    inet6 2001::e2:349d:bcc6:c9fc/64 scope global noprefixroute dynamic
       valid_lft 84267sec preferred_lft 12267sec

There is absolutely no reference to the MAC-address 52:54:00:cf:1c:36 of in the EUI-64 address 00e2:349d:bcc6:c9fc. Given the calculator result of 5054:00ff:fecf:1c36. Apparently something modifies the autoconfiguration address.

First culprit could be Linux kernel:

# cat /proc/sys/net/ipv6/conf/all/use_tempaddr
0

I even iterated all the configurations:

find /proc/sys/net/ipv6/conf/ -name use_tempaddr -print -exec cat {} \;

just to make sure, that privacy is off.

That was puzzling. What the heck is going on in the machine!! After all, it used to work ok before. What could be doing that?

Lot of googling around landed me on Arch Linux ArchWiki IPv6 page. It says: "dhcpcd includes in its default configuration file since version 6.4.0 the option slaac private, which enables "Stable Private IPv6 Addresses instead of hardware based ones", implementing RFC 7217". Hum? I've never heard of RFC 7217, nor "A Method for Generating Semantically Opaque Interface Identifiers with IPv6 Stateless Address Autoconfiguration (SLAAC)", but there it was.

I confirmed /etc/dhcpcd.conf and yes, it did contain a:

slaac private

in it. Why?! I didn't ask for it. I simply put a comment (#) in front of the line and did a:

systemctl restart dhcpcd@eth0.service

To refresh the situation. No change. A reboot. Yes change!

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 52:54:00:cf:1c:36 brd ff:ff:ff:ff:ff:ff
    inet6 2001::5054:ff:fecf:1c36/64 scope global noprefixroute dynamic
       valid_lft 86399sec preferred_lft 14399sec

Now my IPv6-address was exactly what it used to be. Weird incident, though. There is a perfectly good mechanism for privatizing addressses, if wanted to. But now somebody had created another and some higher power made a choice for me to start using it. Really weird! Well, I'm hoping that my addresses won't change any more.

One day I got an e-mail from Google+ saying: "HQ Code Shop Oy hasn't shared anything on this page with you". I was more than puzzled. Sure I haven't shared anything with myself on Google+.

I clicked the link and got to the page. It had a Manage this page -button at the bottom:

It didn't do much good:

All it said was: "We are sorry, but you do not have access to this service. Please contact your domain administrator for access". Aow come on! Why did you have to create a page for something that you don't own and don't let the owner to control!

I went to my Google Apps administration console:

Yes, I have Google+ enabled for myself. However, that didn't change anything. I still was not able to manage my own company's page.

Many hours of surfing the web, reading many absurd attempts to fix the problem, and nothing. Then I went back to the Other Apps -section and started reading the descriptions:

It says "Add or edit your local business listing on Google Maps" next to Google Places -service, which I hadn't subscribed. I enabled that and hey presto! Suddenly I was able to manage the page. Naturally I had to pass the automated phone call test from Google, but I finally got control of my own property.

This is yet another shame-on-you-Google -thing they do while going towards world domination.

I really don't understand why people complain about iPhone screen size being too small. Personally I'd rather carry a phone, not iPad. Also it happens that iPhone 4S is one of the best phones Apple ever manufactured, it is robust and take mis-handing, it is stable and never crashes on iOS 7. You cannot say that about previous or later phones. And IMHO the best feature about 4S is that it simply has the correct size!

My unit started showing symptoms of aging. Battery charge time was over 3 hours from 20% capacity to full, which felt like much longer time when my phone was new. I'm using Battery Doctor app to monitor the charging to keep my battery in a good shape, but the fact of life is that batteries wear on usage. It was time for me to replace it.

Going to an authorized Apple service was absolutely ouf of the question. I've always wanted to see what's inside my iPhone! The absolutely best thing is to get the new battery and tools for the service from iFixit.com. They even provide a very nice guide for the replacement job iPhone 4S Battery Replacement. As the obligatory warning part I'll simply say, that there are very small parts inside and provide this pic as proof:

That's set of iPhone screws on an euro 1 cent, which is on top of US quarter. The leftmost two screws are Phillips-head battery connector screws and the rightmost screws are original Apple Pentalobes. This should scare you away from ever attempting to do any of this stuff by yourself. If it doesn't, please read forward!

So, I put in my order and in a couple of weeks the box arrived from USA. The box contained:

• The replacement battery
• Phillips-head screwdriver to remove the battery connector and insert the liberator screws for the back lid
• Pentalobe-head screwdriver to remove the back lid
• Plastic tool for prying the battery loose from the sticky stuff it is fitted into
  

The first task is to remove the back lid. It can be done by removing the two Pentalobe-screws next to the bottom dock connector:

After the screws are removed, the back lid will slide bit upwards, that is away from the dock connector:

After that the lid should be loose and can be removed without applying force to it. It has some tricky plastic tabs on the sides, so please be careful with those. They're the ones actually holding the lid in place. Don't break them.

The guts of the phone look like this:

Next step is to remove the battery. This can be done by disconnecting the battery from the phone and then prying the battery loose from the glue. The battery connector looks like this:

It is mechanically not a tight one. First remove the two Phillips-head screws and the try to disconnect the connector pins by sliding the connector towards the battery, like this:

Warning: when the battery connector is loose, it is absolutely certain that you will remove a pressure connector in the process:

iFixit says "Pay attention to the pressure contact underneath the top screw of the battery connector. This may come loose while prying the battery connector from its socket". I already said: It will come loose! Just don't misplace it. Try to figure out how it was, to get it back in place.

Then pry the battery:

It is held in place by reasonable amount of gooey sticky stuff:

Now you have removed the battery! It is another story of getting it all back.

The battery looks like this:

Batteries from left to right: old backside, new backside, old front side, new front

Not much of a difference with the old and the new one. Based on the LMG 08/2013, my new one is manufactured about a year ago. It had 40% charge when I turned my phone back on, I guess that's ok.

Anyway, to put it back together, put the battery in it's slot and try to figure out how the connector cable goes so that it would be possible to put the connector screws back. Before actually placing the battery contactor, concentrate on the loose pressure connector. It should look like this:

Then put the battery connector and try to put the top screw in so, that it would hold both the battery and pressure connectors in place. Then put the bottom screw in. When done correctly it should look like this:

Then the last step is to put the back lid in, slide it to place and liberate your iPhone with the new Phillips-head screws:

After that you're done. Congratulations on your new battery!

When I first turned my phone back on, it didn't find my SIM-card. I don't know what happened, but everything else worked, except it never asked for my SIM PIN-code, nor ever found any telephone operators. I fixed the issue by shutting the phone, going to airplane mode didn't do the trick. On next power on, it did ask for my SIM PIN-code and found my telco quite soon.

My thanks goes to iFixit for their excellent guide. I simply wanted to do my own to fill in the gaps they left.

Since there has been no updates for Mr. Bjørn Grønli's spreadsheet, I chose to continue his work.

The link is https://docs.google.com/a/hqcodeshop.fi/spreadsheets/d/1ZJsy0q-8tmR8m32d1bCHkSv1neGVtA5v5TU4qVczH0Q

I did try out a number of SP104 and SP105 T-mobile (German Telecom) firmwares and found that they are really poor. 3 Italy was a pretty poor firmware, as I had problems logging in! Polkomtel's SP103 was a solid performer, but after a round trip, I went back to Telia's SP102.

Please drop me a comment if something is wrong or new columns should be added, or if I'm missing a firmware in the list. My idea is to try to keep this up to date with firmware information and I will appreciate any help from you.

Something changed in Firefox 30. Once in a while everybody runs into an untrusted certificate while browsing. There is a support article "This Connection is Untrusted" error message appears - What to do at Mozilla's support site. The idea is to click I Understand the Risks and proceed to the site.

Now the latest version chose not to display the button:

If the HTTPS-connection would fail miserably, it wouldn't display the option anyways, as there isn't any possibility to continue to the site. Here is an example:

But since this is not that case, the button should be there. Something changed, since it was there before. Googling gave me an about:config variable of browser.xul.error_pages.expert_bad_cert:

It had been turned into false for some reason. When the setting is true, the error screen changes:

Now there is an option to proceed. While at it, they failed. Adding an exception won't work:

Storing the option permanently or not has no effect. It still won't proceed.

Perhaps they'll fix this into Firefox 31.