Raspberry Pi 3 fun

I wrote a few simple Python programs to play with my new Raspberry Pi Sense Hat, and display the time, temp, humidity level and barometric pressure readings in a message that scrolls across the sense hats 8×8 color led display. It was fun.

The Raspberry Pi 3 is an amazingly powerful device. I’ll bet it’d be a lot quicker if I connected a usb disk and mounted a disk based filesystem over the sdcard root filesystem. Just use the sdcard to boot into the disk based OS, and bang, zoom!

The only thing that really limits the pi is that you can only attach one hat to a pi. No stacking of hardware add-ons. So I ordered a new pi, or rather, the pine64 pi3 competitor. Has the same 40 pin GPIO bus, but runs a 1200MHz cpu instead of the pi3’s 900MHz cpu, both a quad core ARM A53 based chip. The Pine64 also comes with 2 GB RAM instead of 1 GB, and Gigabit ethernet instead of 100 megabit. I read someone complain about build quality issues, but we’ll see. So far I haven’t been able to get any response out of it. No audio/video signal on the HDMI port, no blinking lights anywhere to let me know something is working. Just a single red led that is on all the time. Isn’t there a law about manufacturer using red leds to mean anything but there is a problem? For that matter, pi3 has red led power on light too (as well as green activity indicator – not sure what activity, but it blinks)

Just for fun, I did get LXC Linux Containers working just fine on the pi3. Running containers isn’t resource consuming at all. You just can’t use any of the armhf prebuilt distros in the templates, you have to use the raspbian jessie repo and debootstrap the containers yourself, and create an lxc config file for it by hand too. But it works.

Even though the Raspberry Pi 3 is running an ARM v8 64-bit CPU, it’s still running an ARM v6 based OS, for backwards compatibility with the original 512 Mb Raspberry Pi model A. Even the Pi 2 was an ARMv7 chip, but same thing – no armv7 or armv8 OS available for the pi user. The Raspberry Pi foundation says they are still investigating the matter, but they are worried about making it too complex for regular creators, who just want to learn and build, and not worry about any compatibility issues.

I wish they could go ahead and release a beta 64 bit base OS, and any of their tools that are portable, like the python support. They already release a Debian Jessie based Raspbian-lite, without all their tools. Do the same in 64-bit ARMv8 mode for the experimenter. The ARMv8 chips running the 64 bit instruction set are proven to be 25-40% faster than the same cpu executing 32-bit code, so why NOT allow anyone who wants to, to play with a free speedup, we’ll figure out what does and doesn’t work over time. Let the early adopters find out for you if there are going to be any weird compatibility issues to worry about. Maybe they’ll even solve some of them for you.

What has shocked me the most is that no enterprising soul has done it for themselves, even! I’d have figured some hardware hacker would have deciphered how to boot a 64-bit kernel on a pi3 by now. Apparently not, though.

I even ordered another Raspberry Pi Zero, and usb to db9 female rs232 serial port cables, to build a cheap terminal server for my four headless lab servers. I can run screen on the pizero, and use four windows running c-kermit to connect to the tty consoles on each of them and store all the console log messages as screen logs.

Raspberry Pi boot sequence

I’ve been playing with my Raspberry Pi again. Bought the Sense Hat, which is an add-on card that has temp, humidity, and air pressure sensors, a tiny joystick, and a large 8 x 8 multi-color LED display, and software to draw graphics and scroll messages across it. Having fun.

One of the things I find frustrating is that the Raspberry Pi 3 (and others) have ARMv8 64-bit chips in them, but nobody has released a 64-bit Linux for it. The Raspberry Pi Foundation wants to maintain backwards compatibility at all costs, and they never want to make things too complex for people who want to learn.

Found this page describing the actual RPi boot sequence really fascinating. The GPU boots up first!

Source: traspberry pi boot sequence at DuckDuckGo

AT&T Is Spying on Americans for Profit, New Documents Reveal

AT&T has turned spying for the US Government into a profitable business venture. Welcome to Hemisphere, the new way anyone with access to government computers can locate and track (and who knows what else) any AT&T customer instantly, and see where they have been at any time in the past.

Now that the Hemisphere product exists, the government won’t let them ever shut it down, because they value the intelligence far more than they fear the risks. Hackers and corrupt AT&T and USG employees are also in there too. We used to laugh when TV shows like NCIS showed them able to instantly locate anyone. Now we know it’s actually true, just not ALL done with satellites.

New documents reveal the telecom giant is doing NSA-style work for law enforcement—without a warrant—and earning millions a year from taxpayers.

Source: AT&T Is Spying on Americans for Profit, New Documents Reveal

New ISP, New Firewall

Recently, we switched from Comcast 75Mbps cable modem internet to AT&T 600+Mbps fiber internet. The biggest difference is that AT&T requires you use their router/firewall. It’s not optional. So you can either simply trust their device to never get hacked, or setup your own NAT firewall inside the AT&T router, and nat everything twice. But if you do that, the firewall gets an IPv6 address, but nothing inside the firewall can access IPv6. The AT&T router has no option to request any a larger IPV6 subnet, so the firewall could use the rest.

So, I decided to switch from a routed firewall, to a bridged firewall. I tried to reconfigure my pfsense FreeBSD UNIX based firewall, but failed to get it to work properly. It was strange how the BSD bridge was blocking ARPs traffic between network segments. I gave up on pfsense and rebuilt my firewall box with CentOS 7 Linux, and installed Shorewall firewall software, which I’ve used before.

Where as a routed firewall has an IP interface on each network segment, and each segment is part of an independent IP network, a bridged network is one where you only have 1 IP network, with the firewall acting as if it were an ethernet switch, routing traffic from interface to interface, based on the dest MAC address. But shorewall gives you control based on the segments the traffic is coming from and going to, instead of the IP addresses, so, for example, guests can get to the AT&T router and the internet, but not any internal computers.

Setting up basic bridging on Linux is no problem for me, except it turns out my firewall has 5 ports, but they aren’t named in the same order as they appear on back of the box. That took too long to figure out. Shorewall fully supports bridging mode, but documentation is a little light, because far more people use the routed mode. But there is enough to figure it out.

Shorewall can seem at first a little complex to setup, but it’s not too bad, really. I started by creating 5 zones, each representing one of the five segments of our ethernet network – wired lan, lab lan, wifi, guest wifi, and internet. Then I edited the interfaces file, where you assign the 5 physical interfaces to the 5 zones. Then I edited the policy file to define default access rules. Lastly, I edited the rules file, to add any exceptions to the default policy, like allowing guests to access the printer.

So, because I broke our LAN into 5 segments, I can do things like setup an SSH gateway inside my lab, and allow friends to login across the internet into my lab, while being reasonably sure they won’t be able to get from there into our home computers, because they are on a different segment. The “guest” network is where all of our “internet of things” devices are connected. Our wifi thermostat, dropcam web camera, chromecast, as well as any visitors to our house will be able to access the Internet, but not anything else inside the house, so if they get hacked, they can’t get to anything important.

Next I plan to install arptables, which will let me setup rules to block ARP traffic from any particular MAC address. Someday I’ll run cat5e cable between the floors, so we can get the whole 600 Megabit speeds upstairs, and get rid of this cable running on the floor from our office to the bedroom.

OpenShift: PaaS by Red Hat, Built on Docker and Kubernetes

If they’d listen to me, instead of my being a system infrastructure architect in name only, I would deploy this at work. I’d run RHEL7 native on all our LPARs, running OpenStack, Neutron-load-balancer-as-a-service and Kubernetes to run our workload as docker containers way more efficiently than our current solution.

Even keeping all our current architecture, infrastructure and processes, simply switching from z/vm to LXC containers would improve performance and server efficiency, up to 50% or more.

OpenShift is an open source PaaS by Red Hat based on top of Docker containers and the Kubernetes container cluster manager for enterprise app development and deployment.

Source: OpenShift: PaaS by Red Hat, Built on Docker and Kubernetes