Operating systems - 8

Earlier I wrote about upgrading my Windows 8 into Windows 8.1. At the time I didn't realize it, but the upgrade lost my Media Center Pack.

At the time I didn't realize that, but then I needed to play a DVD with the laptop and noticed, that the OS is not capable of doing that anymore. After Windows 8 was released it didn't have much media capabilities. To fix that, couple months after the release Microsoft distributed Media Center Pack keys for free to anybody who wanted to request one. I got a couple of the keys and installed one into my laptop.

Anyway, the 8.1 upgrade forgot to mention that it would downgrade the installation back to non-media capable. That should be an easy fix, right?

Wrong!

After the 8.1 upgrade was completed, I went to "Add Features to Windows", said that I already had a key, but Windows told me that nope, "Key won't work". Nice.

At the time I had plenty of other things to take care of and the media-issue was silently forgotten. Now that I needed the feature, again I went to add features, and hey presto! It said, that the key was ok. For a couple of minutes Windows did something magical and ended the installation with "Something went wrong" type of message. The option to add features was gone at that point, so I really didn't know what to do.

The natural thing to do next is to go googling. I found an article at the My Digital Life forums, where somebody complained having the same issue. The classic remedy for everything ever since Windows 1.0 has been a reboot. Windows sure likes to reboot. I did that and guess what, during shutdown there was an upgrade installing. The upgrade completed after the boot and there it was, the Windows 8.1 had Media Center Pack installed. Everything worked, and that was that, until ...

Then came the 2nd Tuesday, traditionally it is the day for Microsoft security updates. I installed them and a reboot was requested. My Windows 8.1 started disliking me after that. The first thing it did after a reboot, it complained about Windows not being activated! Aow come on! I punched in the Windows 8 key and it didn't work. Then I typed the Media Center Pack key and that helped. Nice. Luckily Windows 8 activation is in the stupid full-screen mode, so it is really easy to copy/paste a license key. NOT!

The bottom line is: Media Center Pack is really poorly handled. I'm pretty sure nobody at Microsoft's Windows 8 team ever installed the MCP. This is the typical case of end users doing all the testing. Darn!

I was pretty amazed to notice that my Mac actually wakes up for the sole purpose of running a scheduled backup and goes back to sleep. Oh, but why?

Going to web with the issue helped, I found Apple support community discussion with topic "time machine wake up unwanted". I don't think my pre 10.9 did that. Anyway I can confirm that 10.9 does this rather stupid thing.

Luckily the discussion thread also offers the fix: "Time Machine won't wake up a Mac, unless another Mac is backing-up to a shared drive on it via your network, and the Wake for network access box is checked in System Preferences > Energy Saver". Definitely something for me to try.

It helped! I can confirm, that there are no backups for the time my Mac was asleep. Pretty soon I woke it up, it started a TM-backup and completed it.

Thanks Pondini in Florida, USA!

Lot of my Windows 7 testing is done in a virtual installation. I run it under KVM and aim for small disc footprint, I have a number of other boxes there too. One day I came to realize that my Windows 7 installation is running out of disc space. That would be strange, I literally have nothing installed in it and it still manages to eat up 30 GiB of space.

There is Microsoft KB Article ID: 2795190 How to address disk space issues that are caused by a large Windows component store (WinSxS) directory explaining this behavior.

The fix is to use Deployment Image Servicing and Management tool DISM. Run something like this as administrator will help:

C:\Windows\System32\Dism.exe /online /Cleanup-Image /SpSuperseded

it will say something like "Removing backup files created during service pack installation". It will remove more than 4 GiB of space. Rest of the garbage will stay on the drive as they originate from regular windows updates.

Why does everything have to be updated via download? That's completely fucked up! In the good old days you could download an ISO-image and update when you wanted and as many things you needed. The same plague is in Mac OS X, Windows, all important applications. I hate this!

Getting a Windows 8.1 upgrade was annoying since it failed to upgrade my laptop. It really didn't explain what happened, it said "failed rolling back". Then I bumped into an article "How to download the Windows 8.1 ISO using your Windows 8 retail key". Nice! Good stuff there. I did that and got the file.

Next thing I do is take my trustworthy Windows 7 USB/DVD download tool to create a bootable USB-stick from the 8.1 upgrade ISO-file. A boot from the stick and got into installer which said that this is not the way to do the upgrade. Come on! Second boot back to Windows 8 and start the upgrade from the USB-stick said that "Setup has failed to validate the product key". I googled that and found a second article about getting the ISO-file (Windows 8.1 Tip: Download a Windows 8.1 ISO with a Windows 8 Product Key), which had a comment from Mr. Robin Tick had a solution for this. Create the sources\ei.cfg-file into the USB-stick with contents:

[EditionID]
Professional
[Channel]
Retail
[VL]
0

Then the upgrade started to roll my way. To my amazement my BitLocker didn't make much of a stopper for the upgrade to proceed. It didn't much ask for the PIN-code or anything, but went trough all the upgrade stages: Installing, Detecting devices, Applying PC settings, Setting up a few more things, Getting ready and it was ready to go. It was refreshing to experience success after the initial failure. I'm guessing that the BitLocked made the downloaded upgrade to fail.

Next thing I tried was to upgrade my office PC. It is a Dell OptiPlex with OEM Windows 8. Goddamn it! It did the upgrade, but at that point my OEM Windows 8 was converted into a retail Windows 8.1. Was that really necessary? How much of an effort would that be to simply upgrade the operating system? Or at least give me a warning, that in order to proceed with the upgrade the OEM status will be lost. Come on Microsoft!

Since Apple made a decision not to publish their operating systems as ISO-images on OS X 10.8, everybody has to create their own excitement (the phrase used to mock Gentoo Linux).

With Google, I found a very nice recipe for creating an image at the point where App Store has downloaded your free 10.9 upgrade, but it is not running yet. See it at Apple Insider forums with topic HOWTO: Create bootable Mavericks ISO. I followed the recipe with a simple copy / paste attitude and it did the trick. No funny stuff, no weird things you needed to know, it just did the trick and ended up with the thing I need.

I'll copy / paste the excellent writing of Mr./Mrs./Ms. CrEOF here:

# Mount the installer image
hdiutil attach /Applications/Install\ OS\ X\ Mavericks.app/Contents/SharedSupport/InstallESD.dmg \
-noverify -nobrowse -mountpoint /Volumes/install_app

# Convert the boot image to a sparse bundle
hdiutil convert /Volumes/install_app/BaseSystem.dmg -format UDSP -o /tmp/Mavericks

# Increase the sparse bundle capacity to accommodate the packages
hdiutil resize -size 8g /tmp/Mavericks.sparseimage

# Mount the sparse bundle for package addition
hdiutil attach /tmp/Mavericks.sparseimage -noverify -nobrowse -mountpoint /Volumes/install_build

# Remove Package link and replace with actual files
rm /Volumes/install_build/System/Installation/Packages
cp -rp /Volumes/install_app/Packages /Volumes/install_build/System/Installation/

# Unmount the installer image
hdiutil detach /Volumes/install_app

# Unmount the sparse bundle
hdiutil detach /Volumes/install_build

# Resize the partition in the sparse bundle to remove any free space
hdiutil resize -size `hdiutil resize -limits /tmp/Mavericks.sparseimage | \
tail -n 1 | awk '{ print $1 }'`b /tmp/Mavericks.sparseimage

# Convert the sparse bundle to ISO/CD master
hdiutil convert /tmp/Mavericks.sparseimage -format UDTO -o /tmp/Mavericks

# Remove the sparse bundle
rm /tmp/Mavericks.sparseimage

# Rename the ISO and move it to the desktop
mv /tmp/Mavericks.cdr ~/Desktop/Mavericks.iso

Thanks! 

This is something I've been trying to crack ever since I installed Fedora 19 alpha into my router. My HTTP-streams do not work. At all. Depending on the application and its retry-policy implementation some things would work, some won't. Examples:

• Playstation 3 updates: Updates load up to 30% and then nothing, this one I mistakenly thought was due to PS3 firmware update
  
• YLE Areena: No functionality after first 10-40 seconds
  
• Netflix: Poor picture quality, HD pretty much never kicks in, super-HD... dream on.
  
• Spotify: Works ok
• Ruutu.fi: Endless loop of commercials, the real program never starts
• Regular FTP-stream: Hang after first bytes
  

My Fedora 19 Linux is a router connecting to Internet and distributing the connection to my home LAN via NAT. The IPtables rule is:

iptables -t nat -A POSTROUTING -o em1 -j MASQUERADE

I found an article with title IPTables: DNAT, SNAT and Masquerading from LinuxQuestions.org. It says:

"SNAT would be better for you than MASQUERADE, but they both work on outbound (leaving the server) packets. They replace the source IP address in the packets for their own external network device, when the packet returns, the NAT function knows who sent the packet and forwards it back to the originating workstation inside the network."

So, I had to try that. I changed my NAT-rule to:

iptables -t nat -D POSTROUTING -o em1 -j MASQUERADE
iptables -t nat -A POSTROUTING -o em1 -j SNAT --to-source 80.my.source.IP

... and everything starts to work ok! I've been using the same masquerade-rule for at least 10 years without problems. Something must have changed in Linux-kernel.

I did further studies with this problem. On a remote server I did following on a publicly accessible directory:

# dd if=/dev/urandom of=random.bin bs=1024 count=10240
10240+0 records in
10240+0 records out
10485760 bytes (10 MB) copied, 1.76654 s, 5.9 MB/s

It creates a random file of 10 MiB. For testing purposes, I can load the file with wget-utility:

# wget http://81.the.other.IP/random.bin
Connecting to 81.the.other.IP:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10485760 (10M) [application/octet-stream]
Saving to: `random.bin'

100%[=================>] 10,485,760  7.84M/s   in 1.3s

2013-10-08 17:06:02 (7.84 MB/s) - `random.bin' saved [10485760/10485760]

No problems. The file loads ok. The speed is good, nothing fancy there. I change the rule back to MASQUERADE and do the same thing again:

# wget http://81.the.other.IP/random.bin
Connecting to 81.the.other.IP:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10485760 (10M) [application/octet-stream]
Saving to: `random.bin'

10% [=======>          ] 1,090,200   --.-K/s  eta 85m 59s

After waiting for 10 minutes, there was no change in the download. wget simply hung there and would not process without manual intervention. Its official: masquerade is busted.

Me finding a bug in Linux kernel is almost impossible. I'm not a kernel developer, or anything, but anything I try finds nothing from the net. So I had to double check to rule out following:

• Hardware:
• Transferring similar file from router-box to client works fully. I tested a 100 MiB file. No issues with my LAN or the client computer.
• Transferring similar file from outside-server to router-box works fully. I tested a 100 MiB file. No issues with my Internet connection.
  
• When not NATing, everything works ok. Based on this I don't suspect any hardware issues.
• There is no difference in my home if using WLAN or Ethernet. The problem is related to my POSTROUTING-setting.
  
• IPv4:
• I have a SixXS IPv6-tunnel at my disposal. Transferring a 100 MiB file from outside-server via IPv6 to the same a IPv4 NATed client works fully. No issues.
• My original claim is that MASQUERADE is broken, SNAT works. Functioning IPv6 connection supports that claim.

To further see if it would be a Fedora-thing, or affecting entire Linux, I took official Linux 3.11.4 source code and Fedora kernel-3.11.3-201.fc19.src.rpm and ran a diff:

# diff -aur /tmp/linux.orig/linux-3.11.4/net/ipv4/netfilter \
/tmp/linux.fc19/linux-3.11/net/ipv4/netfilter

Nothing. No differences encountered. Looks like I have to file a bug report to Fedora and possibly Netfilter-project. Looking at the change log of /net/ipv4/netfilter/ipt_MASQUERADE.c reveals absolutely nothing, the change must be somewhere else.

Is it just me, or is Apple's new iOS 7 just bunch of hot air?

I got the released version immediately to my iPhone and iPad. My initial reaction: the new colors are disgusting. Perhaps person using the new user interface needs to be drunk or on drugs to like them.

After half an hour of browsing archived 1995 black and white webpages, I was able to start using the painter's color sheet ... erhm... iOS 7. There was nothing improved there. Calendar had been made worse, month view didn't display entries anymore. The top left "bar" indicator had been turned into weird dots. Now it's not possible to ask "how many bars do you have?".

In the spirit of trying to be positive I found a single thing I liked. iCloud supports notes now. That I've been really waiting for. Hopefully they finally fixed the iPad's losing APN-settings bug. I have to admit, that the new swipe-screen looks good, much better than the classic old one. But something funny happens when you swipe, too many colors burn trough my eyes.

The official list of new features is here, but I still cannot find anything with a "wow"-factor in it.

Is it just me, or has somebody at Microsoft really dropped the ball on network location setting? When a Windows computer detects a new network, which it has not be attached into earlier, it pops you the question and asks about how to profile the security in that particular case. If everything goes ok, there is no need to change anything. However, when you install your computer, you don't get to answer that. Also, there is commonly known that people make mistakes. What if you simply fumbled the question and clicked wrong.

In Windows 7 the setting is simple:

You go there, click the value and select a better one. In Windows 8, Windows 8.1, Windows Server 2012 and Windows Server 2012 R2 that is not the case. The setting cannot be changed. Period. Wtf?

There is a way to change the setting. I found this article with Google: How do I set my wireless network to be private instead of public? The "Easiest" and "Most direct" are crap, IMHO. The part with Local Security Policy seems to work:

That seems to be working from Windows 7 onwards. Whose bright idea it was to make the change that difficult?

This is a follow-up for my previous article about running IPv6 and WLAN access point. There I said "This was actually very easy to do into DD-WRT" and now I'd like to take that back.

It seemed to be easy, but ... Here are my settings in detail. Btw. I'm running DD-WRT v24-sp2 big
Release: 07/24/13 (SVN revision: 22118)

1. disable the autoconfiguration from the WLAN access-point and manually define a static IPv6-address

This is the part which I struggled the most. Sure it is easy to remove the manually assigned IPv6-address from an interface, just run:

ip -6 addr delete 2001::-da-IP-here-/64 dev br0

on a shell. It will drop the autoconfigured address and it will stay away. For a while. It surely won't survive a reboot.

To make this stick, go to web GUI Administration --> Commands and add a startup command:

echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
echo 0 > /proc/sys/net/ipv6/conf/all/autoconf
echo 0 > /proc/sys/net/ipv6/conf/all/accept_ra
echo 0 > /proc/sys/net/ipv6/conf/all/accept_ra_pinfo

/usr/sbin/ip -6 addr add 2001:-da-IP-here-/64 dev br0

That makes the settings stick. Autoconfiguration will be gone and a static address will be assigned instead. I attempted at least 20 different combinations while looking the sysctl-settings list, but that was the 1st one I found to be actually functional for deactivating the autoconfig.

2. use a static default route from the WLAN access-point and confirm that it has proper IPv6-connectivity

4. make sure, that any incoming traffic from the mobile clients is properly routed to the real IPv6-router, and confirm that traffic flows both ways

Yet again, go to web GUI Administration --> Commands and add a startup command:

/usr/sbin/ip -6 route add default via 2001:-da-router-IP-here-::1 metric 1

That creates a static route which will work and fulfill the 2). To achieve 4) make sure to have the metric 1 at the end.

3. run router advertisement daemon (RADVD) to advertise the WLAN access-point as a proper router for any wireless clients

In the DD-WRT IPv6 article it said that RADVD configuration should be like this:

interface br0 {
   AdvSendAdvert on;
   prefix 0:0:0:1::/64 {
    AdvOnLink on;
    AdvAutonomous off;
   };
};

Don't do that! DON'T! It will royally fuck up your LAN. Nothing in IPv6-land will work if you literally copy/paste that like they suggest. The problem is with the prefix of 0:0:0:1::/64, it will assume that your network has that /64-prefix and assign route and IP-address for any IPv6-host with that prefix. I can bet you $1.000.000 dollars, that it will not be your IPv6-prefix. ... and win.

Just put the exactly same prefix your real IPv6-router has. The WLAN access point's RADVD should be configured pretty much exactly alike. For the configuration directives see radvd.conf manual-page. It literally says:

• AdvSendAdvert: do send advertisements, default is off
• AdvOnLink: use the prefix for link determination (meaning: yes you can get to The Net via this), it is on by default, you really don't need this line at all
  
• AdvAutonomous: do distribute new the IP-addresses from this RADVD to your wireless (and wired) clients, yet again it is on by default and you really don't need this
  

With these settings I succeeded a reboot and still had my wireless and wired clients working using either of the two IPv6-routers. On Windows the setup will display two default routes, like this:

PS C:\Windows\system32> netsh interface ipv6 show route

Publish  Type      Met  Prefix                    Idx  Gatewa
-------  --------  ---  ------------------------  ---  ------
No       Manual    256  ::/0                       18  fe80::
No       Manual    256  ::/0                       18  fe80::

On Linux:

# ip -6 route show | fgrep default
default via fe80:: dev eth0 metric 1024  expires 0sec mtu 1280 hoplimit 64
default via fe80:: dev eth0 metric 1024  expires 0sec mtu 1280 hoplimit 64

That's ok. IPv6 will support that ok. Just be aware, that your traffic may route either way.

I've been using IPv6 on my own LAN for years. Most of the things I use on daily basis have IPv6 and it seems to work. For example a Sony television or iPhone 4S does not use IPv6, but iPad does.

On my router there is a Router Advertisement Damon to do stateless auto-configuration. On Windows 7 and 8 they have really weird things running out-of-the-box, but I'm in a habit of running (as admin):

netsh interface ipv6 set privacy state=disabled store=active
netsh interface ipv6 set privacy state=disabled store=persistent
netsh interface ipv6 set global randomizeidentifiers=disabled store=active
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent
netsh interface teredo set state disabled

That way I'm using fixed IPv6-addresses and disable the unnecessary Teredo-tunnel.

I don't exactly know why or how, but on one of my computers (running Windows 7), the IPv6-sockects started to not work properly. The symptoms include lot of reconnections and for example in SSH-client, the connection would simply drop. I did everything I knew, but nothing helped. A failing SSH-connection would look like this on the wire:

After 31 seconds of connection, there is a sporadic retransmission. That is not dangrous and it happens sometimes. My Windows 7 would respond with a duplicate ACK into it, waits 3 seconds and goes ballistic. It simply starts re-transmitting the already transmitted data with 1, 3 and 5 second intervals before determining that the connection has died. WTF?! The connection is not bad! It works on all other computers. The issue can be easily repeated and it works the same way every time. Windows thinks it needs to start a burst of re-transmissions and disconnects when they seem to fail.

During one of the Google-session for the fix, I found netsh interface ipv6 reset command. I tried it:

PS C:\Windows\system32> .\netsh.exe interface ipv6 reset
Reseting Global, OK!
Reseting Interface, OK!
Reseting Subinterface, OK!
Restart the computer to complete this action.

Did the Windows restart, ran the above commands to disable privacy, randomization and teredo-tunnel. Everything started to work! Whooo-hoo! Now my SSH-connections don't drop anymore. How cool is that!

The fix is very microsoft-ish. Some counter ticked into illegal value and in their mind the correct fix is to reset everything to the post-installation state. On *nix-world network-stack -code would be of much better quality and the entire issue would never happen!

In my Fedora 19 I've been wondering why my NTPd does not start on boot. It used to do so couple of Fedora installations ago. This is not a big deal, so I've been mostly ignoring it. Today I dug up some energy to investigate.

The reason was much simpler than I tought. On my very short checklist were:

1. Confirm that systemd has ntpd.service enabled, it was.
   
2. Confirm that ntpd.service has a dependency to start the service after network interfaces are up, it was chained to do a single ntpdate update and start the daemon after it.
3. Needed interfaces have not been blocked and/or needed interfaces have been enabled in config, everything was out-of-the-box: all network interfaces allowed.
   

The daemon even had the panic-threshold disabled in the config, so it wouldn't choke on startup if time was badly off for some reason. I found no reason for the daemon to start.

However, doing a search for ntpd in /usr/lib/systemd/system revealed what was going on. chronyd.service has Conflicts=ntpd.service in the service description. WTF?! What the hell is chronyd?

According to http://chrony.tuxfamily.org/ it is "a pair of programs which are used to maintain the accuracy of the system clock on a computer". Sounds like a NTPd to me. Running netstat confirmed the fact:

# netstat -nap | fgrep :123
udp        0      0 0.0.0.0:123             0.0.0.0:*                           666/chronyd        
udp6       0      0 :::123                  :::*                                666/chronyd        

The daemon does bind to NTP-ports. To get chronyd running properly, all I had to do was add proper time source and allowed updates from my LAN with allow-directives.

That's it!

My Fedora 19 failed to boot if I had an entry for an iSCSI-mount in /etc/fstab. During boot the system just fell to emergency mode. To get the box to boot, I simply did a "stupd man's solution", and commented the line out. This is what happens if I have the standard line in fstab:

My fstab line is:

/dev/qnap  /mnt/qnap  ext4  defaults  1 0

It took me a while to get back to the issue and investigate, it was that bad. This is the clue I found on Fedora project's documentation about iSCSI. They said, that any iSCSI-volumes should be mounted with a special flag _netdev. I changed to that, and hey presto! During bootup, it first does something and then mounts the iSCSI-drive. I merged those two occurrences into a single photo:

It works! I'm so happy about this. For clarity, the fstab-line is:

/dev/qnap  /mnt/qnap  ext4  _netdev  0 0

During my ventures in the Linux-land, I constantly package and re-package RPMs. Sometimes to introduce new functionality to existing package or to simply get a newer version that distro vendor is prepared to offer. Number of times I've created packaging to software that is not in the distro at all.

Another thing I love using are symlinks. I can have newer and older package of a software and can simply switch with updating the symlink into correct version. When I combined those two, it bit me in the ass.

I had quite simple script-blocks to handle the symlink:

%post
cd /my/package/directory/
%{__rm} -f my.cool.symlink-name
ln -s package/library/my.cool my.cool.symlink-name

%preun
%{__rm} -f /my/package/directory/my.cool.symlink-name

On install, that worked, but on update/freshen there was no symlink left. I was puzzled, why is that? Little bit of googling revealed two pieces of information: RPM spec-file documentation about scripts, especially the Install/Erase-time Scripts -part and 2nd the Fedora Project's packaging information, especially the scriptlet ordering. I'll abbreviate the Fedora's ordering here omitting the non-interesting parts:

1. %pre of new package
   This is the part where my script confirms that the symlink exists.
   
2. (package install)
3. %post of new package
4. %preun of old package
   During update/freshen, this is the part where my script removes the symlink created in 1.)
   Crap!
   
5. (removal of old package)
6. %postun of old package

Further reading of RPM spec-docs said "the argument passed to version 1.0's scripts is 1". Ok, nice to how, but now what? How can I utilize the information? What is the exact syntax for the script? The only usable information I found was in the Fedora packaging instructions, there was an example:

%preun
if [ $1 = 0 ] ; then
  /sbin/install-info --delete %{_infodir}/%{name}.info %{_infodir}/dir || :
fi

So this was the thing I had to try. My solution is to change the %preun-block:

%preun
if [ $1 -lt 1 ] ; then
  # This is really an un-install, not deleting previous version on update
  %{__rm} -f /my/package/directory/my.cool.symlink-name
fi

I did that and upgraded the package. Poooof! The symlink was gone like there was no change at all. WHY? I upgraded the revision number of the package and upgraded again. NOW it worked! Nice.

There is a simple explanation what happened. It says in the Fedora project's order-list that "%preun of old package". OLD package! It works starting from the next update, but not on the first one.

Anyway I was delighted to get that one sorted.

Previously I've studied the init.d replacement systemd.
Update 4th Jun 2017: See the new version

To my surprise, my contraption from the previous article didn't survive a reboot. WTF?! It turned out that in Fedora 19 the /var/run/ is a symlink into /run/ which has been turned into tmpfs. Goddamnit! It literally means, that it is pointless to create /var/run/<the daemon name here>/ with correct permissions in RPM spec-file. Everything will be wiped clean on next reboot anyway.

So, I just had to study the systemd some more.

This is my version 2 (the Unit and Install -parts are unchanged):

[Service]
Type=forking
PrivateTmp=yes
User=nobody
Group=nobody
# Run ExecStartPre with root-permissions
PermissionsStartOnly=true
ExecStartPre=-/usr/bin/mkdir /var/run/dhis
ExecStartPre=/usr/bin/chown -R nobody:nobody /var/run/dhis/
# Run ExecStart with User=nobody / Group=nobody
ExecStart=/usr/sbin/dhid -P /var/run/dhis/dhid.pid
PIDFile=/var/run/dhis/dhid.pid

The solution is two-fold. First an ExecStartPre-directive is required. It allows to run stuff before actually executing the deamon. My first thing to do is create a directory, the minus sign before the command says to ignore any possible errors during creation. The target is mainly to ignore any errors from the fact that creation would fail due to the directory already existing. Anyway, all errors are ignored regardless of the reason.

The second command to run is to make sure that permissions are set correctly for my daemon to create a PID-file into the directory created earlier. That must succeed or there will be no attempt to start the daemon. chowning the directory will fail if the directory does not exist, or any other possible reason.

Sounds nice, huh? Initially I couldn't get that working. It was simply due to reason, that the entire Service-part is run as the user pointed by the User=nobody and Group=nobody -directives. That user was intentionally chosen, because it has very limited permission anywhere or anything. Now it cannot create any new directories into/var/run/. Darn!

This where the solution's 2nd part comes in. Somebody designing the systemd thought about this. Using the PermissionsStartOnly-directive does the security context switch at the last moment before starting the daemon. This effectively changes the default behavior to allow running Service-part as root, except for the daemon. Exactly what I was looking for! Now my daemon starts each and every time. Even during boot.

Another thing which I noticed, is that when I edit a systemd service-file, the changes really don't affect before I do a systemctl --system daemon-reload. It was a big surprise to me, after all in traditional init.d everything was effective immediately.

PS.
Why cronie does not create a PID-file? I had an issue in CentOS where I had not one, but two cron-daemons running at the same time. This is yet another reason to go systemd, it simply works better with ill-behaving deamons like cronie.

I've been using a Windows 8.1 preview for a while and being a web developer, I stumbled into couple of noteworthy issues with IE 11. See my previous entry about Win 8.1.

User-Agent string

There are pretty much 2 variants:

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.3; WOW64; Trident/7.0; .NET4.0E; .NET4.0C)

or:

Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

The only way I could get the "like Gecko" -mode enabled on a XHTML 1.0 -site, was from developers tools in the Edge-mode. My site also has a <meta http-equiv="X-UA-Compatible" content="IE=9" /> in it, but removing or adding the tag does not seem to have any effect. I'm guessing, that Edge-mode works out-of-the-box only in HTML 5. The important thing to not here is, that IE 11 declares itself as a IE 7.0, but unlike a "real" IE 7, this has Trident rendering engine 7.0. Also there is declaration of a "real-version" or rv:11.0.

Emulating previous browser versions

Gone. The good thing is that F12 developers tools have been completely re-written, but it is impossible to get the classic standards selection. I found two discussions about that. First is from superuser.com and second from stackoverflow.com.

Microsoft's idea is to go to http://www.modern.ie/en-us/virtualization-tools  and use their virtualization service / tools to use a proper old browser. My advice would be: just ignore anybody using the ancient crap. I'd draw the line on IE 9, it still is pretty popular browser, but on my statistics anything older than IE 8 are totally gone.

Getting Zend Framework 1 to detect IE 11 properly

On my projects I have the ZF 1 running. I've been using Browser Capabilies Project's browscap.ini on PHP. It has solid integration into ZF 1. The bad thing is that BCP is not well maintained anymore due to key persons losing interest into maintaining one. Anyway, here is my patch into 5020:

--- php_browscap.ini.orig       2013-07-31 16:20:08.749140271 +0300
+++ php_browscap.ini    2013-07-31 16:24:14.563058655 +0300
@@ -31179,6 +31192,64 @@
 Platform="WinNT"
 Platform_Version=3.1

+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; IE 11.0
+
+[IE 11.0]
+Parent=DefaultProperties
+Comment="IE 11.0"
+Browser="IE"
+Version=11.0
+MajorVer=11
+MinorVer=0
+Beta=true
+Win32=true
+Frames=true
+IFrames=true
+Tables=true
+Cookies=true
+BackgroundSounds=true
+JavaScript=true
+VBScript=true
+JavaApplets=true
+ActiveXControls=true
+CssVersion=3
+
+[Mozilla/*(Windows NT 6.1*64*Trident/7.0; rv:11.0*)]
+Parent=IE 11.0
+Platform="Win7"
+Platform_Version=6.1
+Win32=false
+Win64=true
+
+[Mozilla/*(Windows NT 6.1*Trident/7.0; rv:11.0*)]
+Parent=IE 11.0
+Platform="Win7"
+Platform_Version=6.1
+
+[Mozilla/*(Windows NT 6.2*Trident/7.0; rv:11.0*)]
+Parent=IE 11.0
+Platform="Win8"
+Platform_Version=6.2
+
+[Mozilla/*(Windows NT 6.3*Trident/7.0; rv:11.0*)]
+Parent=IE 11.0
+Platform="Win8.1"
+Platform_Version=6.3
+
+[Mozilla/*(Windows NT 6.3; WOW64*Trident/7.0; rv:11.0*)]
+Parent=IE 11.0
+Platform="Win8.1"
+Platform_Version=6.3
+Win32=false
+Win64=true
+
+[Mozilla/*(Windows NT 6.3; Win64*Trident/7.0; rv:11.0*)]
+Parent=IE 11.0
+Platform="Win8.1"
+Platform_Version=6.3
+Win32=false
+Win64=true
+
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; IE 10.0

 [IE 10.0]

The 2nd glitch is that ZF 1 heavily relies on seeing string "MSIE" in the UserAgent identification to determine, that we're talking about Internet Explorer. IE 11 doesn't state that anymore. It want's to be like Mozilla's Gecko-engine, and happily says so. My patch for ZF 1:

--- library/Zend/Http/UserAgent/AbstractDevice.php.orig 2012-11-16 17:23:41.000000000 +0200
+++ library/Zend/Http/UserAgent/AbstractDevice.php      2013-07-31 13:58:15.422657840 +0300
@@ -512,6 +512,19 @@
         } elseif ($product == 'mozilla' && $result['browser_version'] < 5.0) {
             // handles the real Mozilla (or old Netscape if version < 5.0)
             $result['browser_name'] = 'Netscape';
+        } elseif ($product == 'mozilla' && isset($result['comment']['full']) &&
+            preg_match('#^([^;]+);.+Trident/(.+);\s+rv:(.+)#', $result['comment']['full'], $real)) {
+            // MSIE 10+ in native mode.
+            // In emulation mode, will match MSIE 7.0
+            $result['browser_name'] = "MSIE";
+            $result['browser_engine'] = "MSIE";
+            $result['browser_version'] = $real[3];
+            $result['browser_token'] = 'MSIE ' . $real[3];
+            if (isset($result['others']['full'])) {
+                $result['compatibility_flag'] = $result['others']['full'];
+                unset($result['others']);
+            }
+            $result['device_os_token'] = $real[1];
         }

         /** windows */
@@ -523,6 +536,8 @@
             if (strpos($result['device_os_token'], 'Win') !== false) {

                 $windows = array(
+                    'Windows NT 6.3'          => 'Windows 8.1',
+                    'Windows NT 6.2'          => 'Windows 8',
                     'Windows NT 6.1'          => 'Windows 7',
                     'Windows NT 6.0'          => 'Windows Vista',
                     'Windows NT 5.2'          => 'Windows Server 2003',

That makes ZF 1 react alike for IE 11 and all other versions before that. I did test that on IE 8, IE 9, IE 10 and IE 11. Also I confirmed that to function with IE 10 and IE 11 in IE 7 emulator mode.

64-bit process

Normally I run only 64-bit browsers. Google's crappy Chrome won't do that, so I try to stay away from it. Firefox has excellent spin-off project of CyberFox, most IE versions have 64-bit counterparts, Opera has 64-bit version. The thing with 64-bit browsers is that there are a number of exploits for browsers which are tailored to run on 32-bit processes.

Anyway, the story is that on Windows 8 and Windows 8.1 the tile-mode IE is always 64-bit, but desktop-mode is always 32-bit. Ghacks.net has a story about getting IE 10 in Windows 8 to run 64-bit in desktop-mode, but I fail to confirm the results.

On IE 11 I found a setting of "Enable 64-bit processes for Enhanced Protected Mode":

... I don't know how it should affect the browser behaviour. I'm still getting:

The root-process of IE seems to be 64-bit, but anything with a real web-page in it, is always 32-bit on desktop side. Tile-mode looks like this:

So, no avail for me. Any ideas are welcome.