January 18, 2021
Blog is now hosted at https://shamil.gumirov.org
Labels: blog
December 8, 2020
Blog is moving soon and "beta" announcement
The new blog is sharing a CI/CD built for my self-hosted services (like Jabber server, Blog, Mail, Jitsi meet, Mumble and others). Currently I use a Gitlab-based deployment with an orchestrator repo, makefile per service and private docker registry for container images. All services are containerized for isolation and ease of moving around. It's grown evolutionary, but resembles a k8s, so I've plan to move to k8s, maybe in end of December.
I've patched blog2md to correctly export comments too, see details. All 220 posts in the hugo-based blog are exported from blogger using this, without much modifications afterwards. Some are still needed, mostly related to preformatted code from pre blocks. I did not made match to blog2md yet and not sure if I will ever as they're pretty minor.
Labels: blog, blogger, CD, deployment, gitlab, hugo, k8s, kubernetes, selfhosted, ungoogle
April 8, 2020
Sudoed podman cannot listen to privileged ports
It's impossible to reach any exposed privileged port from external net when running podman
sudo podman run -p 80:80 -it nginxSetup: dedicated Centos 8, clean install + docker, no firewalld, iptables at "allow-all" default ruleset. With docker however it works without problem.
What I was trying to run which needed to listen to privileged ports is a certbot inside docker. Motivation is to avoid installing python dependencies or else downloading and running unknown binary.
Labels: centos, centos8, certbot, docker, letsencrypt, linux, opensource, podman
April 4, 2020
Fresh centos8 podman/buildah issues related to alpine
Lately I'm trying out Centos 8 and move to openshift with podman and buildah as docker replacements. So far not without interesting problems!
In a freshly installed updated centos8 it's impossible to build any alpine-based repo or even pull alpine itself:
$ podman pull alpine ... Error committing the finished image: error adding layer with blob "sha256:aad63a9339440e7c3e1fff2b988991b9bfb81280042fa7f39a5e327023056819": Error processing tar file(exit status 1): there might not be enough IDs available in the namespace (requested 0:42 for /etc/shadow): lchown /etc/shadow: invalid argument
The following solution is mentioned in libpod issue 2788:
# dnf reinstall shadow-utilsI did not investigate this deep down, however seem capabilities are set wrong for shadow-utils with yum installation (yum reinstall does not fix this):
$ getcap /usr/bin/newuidmap /usr/bin/newgidmapHere's expected output for the command above:
/usr/bin/newuidmap = cap_setuid+ep /usr/bin/newgidmap = cap_setgid+ep
Labels: buildah, centos, centos8, dnf, opensource, podman, yum
February 15, 2020
Google's fake security procedures
- Lock account.
- On log in, check for password and then ask for phone.
- Accept OTP via any phone. Note: the phone is not stored as security phone! It's only one time random phone.
So I expect more problems with using gmail to send automatic notifications from my small service installations like personal devops. This means it's much better to discover and move to custom mail server from Gmail. Sounds like a paradise: no more worrying on email account locking, no more "look into spam folder". This is how email is supposed to work :)
The only real big problem is that Google is actually implements fake security, with fake like in "fake news". Something in the shell called "security" but not actually that. So it lies its users covering intentions with "security" topic, like "we've blocked your account to increase security". Or wait, that's not account's security, but a Google one (like secure our infrastructure with getting rid of bots)?
Labels: account, email, fake security, google, lock
January 20, 2020
On work processes
The remark is very right, it's from Spotify's videos on the topic:
"healthy culture heals broken process".
So the organizational hierarchy of company values should be:
culture > process > work
The culture cannot be built with any amount of process, so it's on a higher level.
Also the process helps to make less mistakes in work, while not being work itself.
January 10, 2020
On undoing git mistakes
https://sethrobertson.github.io/GitFixUm/fixup.html
Also this is a great example of dymanic "web app" without javascript! Yep, sir, anchors only. I really love a pragmatic simplicity of this kind.
Labels: git, no javascript, reference, undo
January 9, 2020
Android Emulator in Docker
$ make build-base && make build && make start. This provides emulator device waiting to run your tests.
PS I am not a big fan of building in docker, however it's possible using avd-base image from same project. I will cover this later.
Articles on building large systems
The good overview of using kubernetes for large finance projects by a brilliant architect Oleg Chunikhin (now CTO at Kublr) and Terry Shea, with whom I was lucky to work during early days of my career:
Making Kubernetes a Reality for Financial Services
Here's a nice description of the key moments on way working on scalable cloud system:
How to sleep at night having a cloud service: common architecture do's
A must-read about choosing a technologies:
Choose boring technology.
Labels: architecture, bookmarks, cloud, kubernetes, scalability, software architecture
January 8, 2020
Android: one ViewModel per view
Do not create huge ViewModels, keep it simple. Yes, it's more classes per view, however your support and development costs are closer to linear in time.
Labels: android, architecture, mvvm, software architecture, view, viewmodel
January 7, 2020
Blog migration to hugo
Sharing here some experience in process (will update this post until done).
TL;DR:
- Install latest hugo with snap
- Find and install theme (with git submodule - see below)
- Try blog with "hugo server ..."
- Setup publishing pipeline on blog changes (for example, Jenkins or whatever is preferred).
- Install blogger_to_hugo migration tool
- (This one is not specific to anyone I suppose. I don't want to experiment with lots of new packages in my main macos system, so installing debian 9 as vbox VM. All further is done there).
- Run migration from blogger backup with blogger_to_hugo. I got an error:
TypeError: object of type 'NoneType' has no len()
Seems like it expects only the english post titles (or maybe texts in english too) and crashes otherwise. Too bad. - Use blog2md which produces a bunch of .md files (not sure about non-english titles, but no crash at least).
- Install and try to use zzo theme. It turns out that hugo 0.58 is not compatible. Although it's latest in debian sid (unstable) repo!
- Use snap installer (another repo to think of..): snap install hugo
- Hmm, zzo theme does still not work showing bunch of "render of 'page' failed..." errors and crashing in the end. Could be a non-english titles.
- Trying a hugo theme pure.
- Copy and edit config from example site of a chosen theme.
- Use git submodules for themes if your blog is in git (which itself is a great idea too!) like:
git submodule add https://github.com/SOME/THEME themes/THEME
- Use snap (it's in bad ones too) - to experiment only.
- TL;DR: always use system packages, do not install binaries.
I strongly advocate against using a zoo of repo managers (read: snap, pip, etc - whatever non-native to your OS updates subsystem) or binaries to anything running in runtime at server. It takes huge amount of maintenance to track of major updates. Most probably you would miss serious vulnerability at some point. Even old version of packages in debian stable receive security fixes (they are backported), which you would need to do yourself manually for any separate repo manager not added to your cron (most probably manually too). - Test your hugo+chosen theme with all desired charsets before everything else. It's really hard to believe that modern software written in golang crashes for a non-ascii (read: utf-8 or cp-1251), but that's what happens to hugo with some themes.
- Good old backslash escaping is not what works in yaml out of the box. To escape apostrophe (single quote) use '' (yes, type it twice). Enjoy this good reading before going bed (do not): https://yaml.org/spec/1.2/spec.html
December 10, 2019
An interview assignment: ML image classifier (WhatsThat app)
WhatsThat app privacy policy:
No user data is collected by app.P.S. Actually it's completely offline app: contains no networking code at all.
Project summary
Diagram. Data streams overview.
Summary of what's done is below, also see (more in repository readme):
- Android app in kotlin with MVVM and JetPack, TensorFlow image classifier for CameraX preview.
- Tests: unit (Robolectric JVM-based) and instrumented (uses Android emulator to run).
- Repository: Gitlab with safe workflow: development is done in feature branch, merge requests to master with Build/Test CI pipeline checks before able to merge to the master branch.
- CI: Gitlab integrated with Jenkins. Build is executed for any push to feature branch.
- Project tracking: Jira with Kanban. All commit messages are automapped to Jira tickets using "smart commit messages". Merge of MR leads to automatic Jira ticket state change (move to Done)
- CD: publishing is done to Artifactory (artefacts repository)
- Set up separate Jenkins slave to run project tests which require Android emulator for instrumented testing.
How to install app
- How to test: send me google account email to be added to internal testing group. Once confirmed a link will be sent and app can be installed. (Sorry for inconvenience, it's Google Play rules).
- How to install (for hackers: developer settings must be enabled and unsafe unknown sources installs option enabled there): download file, add .apk extension and upload to phone with adb install release.apk. Link to the latest master build: in Artifactory.
- Implemented unit and instrumented tests
- Added unit test to CI pipeline
- Started adding dockerized android for instrumented tests (problem: server does not provide /dev/kvm, so emulator needs to be tunes to use ARM system image)
- Added user to Jira, Jenkins, Artifactory. Will share credentials tomorrow in a task report.
- Todo: Add Jenkins-slave with kvm to run instrumented tests.
- Added MVVM with Jetpack to easily bind image classification with UI output
- Added dagger2 to more simple load of components
- TensorFlow model now works fine
- Project repo: https://gitlab.gotalkmobile.com/shamilg1/image-classifier
- Added Jira/Gitlab/Jenkins/Artifactory integrations and set up CI pipeline with CD to Artifactory.
- Added planned tasks to Jira (Kanban-based).
- Basic kotlin CameraX implementation is done.
- Tomorrow todos: set up basic quantized image analysis integration and further experiment with models.
5 Dec 2019. I've got assignment for the interview with a nice startup on ML image classification using existing pre-trained model. The aim of this project is to share my skills and experience in dealing with project, specifically an Android app.
- TensorFlow (for IoT and mobile devices, has pre-trained models)
- ML Kit
- CloudVision (google cloud backed only, has first-1000-images-free period)
- AutoML (this is on training a custom model)
There're some good ML learning materials not tied to specific framework:
- ML Practicum: Image Classification: https://developers.google.com/machine-learning/practica/image-classification
- ML crash course (this is a dependency for first one): https://developers.google.com/machine-learning/crash-course/
Labels: android, artifactory, dagger2, docker, espresso, interview assignment, jenkins, jetpack, jira, kotlin, machine learning, mvvm
December 8, 2019
Product-minded engineers
- https://blog.pragmaticengineer.com/the-product-minded-engineer/
- https://medium.com/@sherifmansour/product-engineers-f424da766871
Labels: engineer, hiring, product, work process
December 7, 2019
Upgrade of Android Studio forgets most code style settings
Labels: android studio, shit
September 10, 2019
Plantuml + Gitlab is risky
Labels: devops, diagram, docker, git, gitlab, plantuml, security, uml, work process
September 8, 2019
On Facebook user data leaks
I know no evidence of the following, so not stating it's true at all. Though in a light of user data usage restrictions and depersonalisation the real user data would definitely help those who buy ads on Facebook. To put it straight: leaks lead to rise of ad sales!
What I believe is true is that until companies like Facebook is punished really hard for user data leaks, the data leaks incidents will continue to happen.
Labels: ads, data leaks, facebook, security, user data
August 2, 2019
Debian Buster (10) no Java 8 support
This resembles me a lot this almost comedian video on how hard to describe the life of sysadmin to non-it people. Palm, palm, palm.
Video link
So no Debian 10 for my X220. Thinking about arch (used it for some years, with some luck of failing video drivers - I don't have a good feeling about it being on laptop) or centos (happy with it on server, not sure about client). Also maybe a Debian 9 is a logical choice as seems like it has Java 8 supported by default.
Labels: arch, centos, debian, java, java 8, laptop, linux, openjdk, opensource, x220
June 11, 2019
An "Ungoogled" Chromium: how to move from Chrome
What I came into is "ungoogled chromium" which can be downloaded as many other chromium variants from here. Not sure on next step, can possibly compile it myself with importing latest patches or reverting patch related to API cut (I'm sure they'll make it impossible. though).
There're some challenges in process of moving to Chromium from Chrome, though. Copying profile is not enough ;)
- If you want to move to Chromium smooth and save your opened tabs, the trick is to copy user profile while Chrome is opened (as Chromium resets some of settings while opening newly copied profile it starts with "Open with new tab" option effectively forgetting all your tabs
- In Chromium passwords cannot be imported. At all. Or saved. Until you delete "Login Data*" files (DB itself and -journal).
- Extensions cannot be set up from chrome store. Download process is manual using download URL below or here with pictures (if you don't mind some Japanese).
- Look through
https://clients2.google.com/service/update2/crx?response=redirect&prodversion=[PRODVERSION]&acceptformat=crx2,crx3&x=id%3D[EXTENSIONID]%26ucPS Speaking of privacy and adblock-related extensions, I'm using uBlock origin (gorhill's one) and Tampermonkey with some Medium-related scripts. Cannot imagine browsing without them - internet is just hell (from my point of view I can compare it with popups and blinking banners of 90s).
Labels: chrome, chromium, extensions, google, opensource, privacy, security, ublock
May 7, 2019
Flickr: an end of era and Thoughts on software subscription model
Flickr
I've just noticed that Smugmug's acquisition of flickr lead to price raise 2x times: since 2018 a year of Pro cost $50 (and they are allowing 1000 only - I have more - while deleting all other photos). So I'm downloading my photos and closing my account at flickr. Frankly speaking that's not a price only, but that definitely was a turning point for me.Not sure yet where to host instead (and do I need a photo hosting at all). I seem to not like or need any of them, including instagram, fb, vk.
Thoughts on software subscription model
PS The software prices of 80s are high. But seems like software prices have been rising for some time now with the widespreading of the subscription model. Take for example lightroom. The 6th version infinite license (not subscription one) cost around $150. Subscription cost $120 yearly. Same for MS Office. Sure, it comes with oneDrive, and oneDrive's file on-demand download works like magic (compare it with dropbox process of selecting the folders to sync manually and hope nothing is lost). But if one does not want or need it, no way.This year I stopped using Lightroom subscription after paying $180 - I just realized that paying more than infinite license cost before is wrong and I have a kinda mental right (although for sure not any kind of legal one, and for the record I do not do this!) to pirate it ;-).
And don't give me that bullshit on software updates that cost a lot. As a local software user I want stability and predictability more than any updates (OS is completely different substance as it's dealing with networking and security). Oh, I know that software engineers wants salaries to feed their families. But please just let your users decide if they want a new version or stay with this one. Limiting options to "pay for new version or stop using it" is just a wrong dichotomy. Company can hire contractors on monthly basis ;-)
April 27, 2019
Is Medium a noise-based platform?
"This image has nothing to do with the article, but Medium recommended to add a picture ¯\_(ツ)_/¯".
Hey. Stop. If this has nothing to do with your article, why the hell did you add it? I don't care about my bandwidth, but it still consumes screen space (even blocked - it's blank space) and it's noise as author just sincerely wrote.
This shall not be the modern web. Yet Medium is a profitable company! I now still use Blogger which shares founder with Medium. But Blogger was and is not that bad!
Just to give some clue of how much noise is on the first page of a regular Medium-based blog here's a screenshot (hint: everything is a noise!):
UPD: typos, formatting.
Labels: blog, blogger, internet, marketing, medium, noise, web
April 23, 2019
Upgrading Android project to Studio 3.4
- dependency versions chain upgrade: studio -> gradle plugin -> kotlin version
- solving mysterious problems with desugaring D8 (add "android.enableD8.desugaring=false" to gradle.properties)
I'm not very happy when I'm unexpectedly forced to spend 3h+ on infinite chain of tasks. This repeats itself for most of the Android Studio upgrades.
Labels: android, android studio, kotlin, upgrade
April 14, 2019
Blueprint reverse-engineer server configuration
Labels: business, configuration, hosting, linux, management, server
April 2, 2019
Brilliant talks on technology and leadership
on tech leadership without management
on great principles of tech leadership
Labels: Brian Cantrill, fun, humor, leadership, talk, tech, technology, video
March 15, 2019
Android "DataBindingComponent not found" error solution
dataBinding {
enabled = true
}
kapt {
javacOptions {
// Increase the max count of errors from annotation processors.
// Default is 100.
option("-Xmaxerrs", 500)
}
}
Labels: android, build, data binding, databinding, error, gradle, java, kotlin
February 21, 2019
Email validation regex
Labels: email, regex, rfc, rfc 822, validation
December 9, 2018
Why FAR manager is better than Midnight Commander?
November 23, 2018
Jira manual update process is ugly and does not have any alternative
When the time came to update Jira version, the quick check shown that there's no way to update Jira in any automatic way. Administrator must each time go to web site, choose OS version, start download, abort it, copy link from Downloads and wget- or curl- it on server. Then manually unpack it and play with symlinks (or some other way to gracefully abort upgrade if one prefers).
Seems like in this case Atlassian has some business requirements that override product usability. This is first sign that the product design is drawn by primarily interests of non-tech people in Atlassian. As long as Jira product is sold to support the technical process and make it cheaper, this decision to make update process unstable (as it needs special attention), this ruins my trust in product and company in general. To understand the scale of this decision just imagine that for example 10 different products on your servers need manual update process. This is at least annoying and bug-prone because involves human factor. So from my point of view this is a clear sign that (1) either company generates enough money to let marketing people make shitty decisions and override technical ones and not to think about competitors or (2) company's left hand does not know (and care) about right one. Any of which is very bad from the client point of view. Any good alternatives for a bugtracker?
Labels: autoupdate, bugtracker, bugtracking, jira, linux, manual, no-autoupdate, shit, upgrade
October 20, 2018
Example of bad security model and "We have noticed an unusual activity in your account."
Of course sometimes companies use any little reason to get more pieces of personal information, like the mobile phone number. For example, it makes absolutely no sense to ask for a phone number after "unusual account activity" has been already detected. Asking the one user who is logging in to provide his phone number (and possibly linking it to the account as 2FA or account recovery channel) actually is very bad idea in this situation! Because if attacker already has password on hand he can also link his phone number thus effectively preventing the account owner from logging into account forever.
Threat modelling can help understand such situations and prevent them.
Labels: account, security, threat model
October 18, 2018
Research on why iTunes is launched sometimes when I wake up macbook
Labels: bluetooth, headset, knock-knock, osx, resume, sleep, wakeup
August 28, 2018
On SSH security
Android emulator window @xfce does not gain keyboard focus
July 24, 2018
Frightening small price for a 48Mpix
Labels: marketing, photo, photography, sensor
June 17, 2018
Always test for Very Large Input
Labels: automated tests, integration tests, memo, tests
June 13, 2018
Docker build unicode filenames issue
Labels: docker, docker build, file, linux, osx
May 10, 2018
Publish your content on your own site
May 4, 2017
How to type in Unicode (for linux)
April 18, 2017
Wrong frameworks?
- Telegram consumes 1% CPU time (14 minutes in total for 3 days) and 68Mb RAM
- WinWord with 2 docs opened consumes 0% CPU (0 (zero) minutes 34 seconds in total for 3 days) and 43Mb RAM
Labels: cpu, memory, opensource, ram, resources, telegram, winword, word
April 14, 2017
Patch to stop video autoplay in Chrome
So I've patched Chrome (chromium actually) source code and compiled it for myself from source. Voila, it works! Patch is below just to know how simple the change (that is being discussed for 2 years with no effect, while the problem itself exists for much more than 5 years) is.
And yes, I don't mind pressing manually for video to start every time. Also I don't mind stop wasting my data plan and draining laptop battery. Thanks Google for being unfriendly and not having any user settings for this ;-)
Disclaimer: published under MIT License. That is, simply: "as-is", no guarantees, by downloading this patch you know what are you doing.
Labels: ads, autoplay, chrome, chromium, linux, opensource, patch, video, webkit
April 13, 2017
Notes on Brave browser
Second thing (which could be not relevant, but looks strange anyways), is that it used npm as package manager in previous days.
April 12, 2017
Arch with mate: cannot lock screen with mate-screensaver, had to move to xscreensaver
I use Arch as desktop OS, with mate. After latest update pacman -Syu I noticed that I can lock screen only once after restart or so. It works like this: when selecting "Lock screen" from menu it just does nothing, and it's nothing also in .xsession-errors. So screen remains unlocked.
When I (maybe mistakenly) try to manually execute mate-screensaver it says like "screensaver is already running for this session".
So I took way of getting rid of mate-screensaver and installing and using xscreensaver instead (pacman -S xscreensaver). It works just fine.
Labels: arch, linux, mate, mate-scresnsaver, opensource, screensaver, xscreensaver
April 5, 2017
ag regex syntax
man pcrepattern
Labels: ag, linux, man, opensource
March 18, 2017
git ssh correct url
$ git clone ssh://servername/reponame.git Cloning into 'reponame'... fatal: '/reponame.git' does not appear to be a git repository fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists.The solution is to use slightly different URL, note part '~/':
$ git clone ssh://vm/~/devvit_test.git
Labels: ssh
February 26, 2017
SSH SHA-256 fingerprint is not human readable
$ ssh ... The authenticity of host '... (...)' can't be established. RSA key fingerprint is SHA256:qSj/We80nmhTc8Pc4XPazxlpGrnv95EZNXSZB1YsGl0.Looks like
Compare that with SHA-1 fingerprint (actually connecting to the same SSH server):
The authenticity of host '...' can't be established. RSA key fingerprint is 77:5f:3b:1f:84:eb:d2:0c:ca:bd:b3:5d:f7:3c:c3:6f
Grouped hex digits, no trash.
Maybe I'm wrong, but it looks for me that ssh maintainers in this case are blindly following a modern fashion to use sha256 instead of considering which UX leads to less human errors.
I'm not sure if that's somehow connected to using ECDSA keys or not. Anyway this change to sha256 increases human mistakes in using crypto tools like SSH which is very bad.
January 23, 2017
Hibernate downloads
Neocities registration leads to third-party microsoft account creation for same email
To finish setting up this Microsoft account, we just need to make sure this email address is yours.
The thing is that I'm pretty sure I did not create any microsoft emails by myself and this email is a secondary one and I do not use it frequently.
So be careful when using Neocities as they could have some data leak.
January 10, 2017
Notes on Apache Spark
1. Distributed computation engine (aim on low latency)
2. Could be used both batch-mode or interactive
3. In-memory
4. Faster than Hadoop
5. Fault-tolerance out-of-the box
Labels: apache spark, software architecture, software engineering, spark
Notes on Apache Cassandra
1. cassandra has thing called "partitioning key" which is a part of the _primary key_
PK -> consistency hashing function -> value determines which Bucket (range of Hashes) it fits into -> which node we need to talk to
2. CAP theorem tradeoffs. Cassandra is Highly Available (Availability) and Partition Tolerant (Partitioning)
3. Replication. RF = 3 - factor of replication.
4. Consistency level (how many confirmations of actual nodes has written data): { All, Quorum, One }. Also can have a modifier "Local" in case of multiple data centers. We can write to different DC which could be one for OLAP one for OLTP (for different queries does not impact performance each other)
5. CL - per query; RF - per keyspace
Labels: apache cassandra, big data, cassandra, software architecture
January 9, 2017
Business Logics vs Data Logics
Labels: business logics, data logics, engineering, software, software engineering
November 3, 2016
I'm sharing a TED talk
Labels: meetings, work process
August 6, 2016
Compiling i686 kernel v2.6.34.1 on x86_64 centos v3.10.0
Want to compile small kernel.
As a first step, as I cannot yet compose the working initrd, I will use the existing pmagic iso which is 2.6.34 for i686 and replace kernel image.
As for package dependencies/toolchain - too many, search for error or ask me in comments.
$ git clone -v git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git $ git branch v2.6.34.1 Then patch something: $ cd linux-stable ; patch -p0 < patch.diff
Patch is below:
Read more »