How to set Docker 1.12+ to NOT interfere with IPTABLES/FirewallD

For some reason the powers that be at Docker have decided that with version 1.12 (or perhaps earlier, I don't track how lax I get between versions), the approach of using a SystemD override file for IPTABLES no longer works. At least, that is true if like me you had DOCKER_OPTS="--iptables=false" in /etc/systemd/system/docker.service.d/noiptables.conf.

Instead you now have to use environment variables rather than command-line-style parameters, so it is more along the lines of DOCKER_IPTABLES=false rather than --iptables=false. Still, this didn't work and it appeared that from some SystemD digging that the default Docker Systemd config file ignores my override file anyway.

It turns out the solution is explained (not obviously) here (no at the time of writing there is no FQDN, just an IP):

You must manually modify /etc/docker/daemon.json, which is a file that the Docker daemon DOES check at startup. Ensure there is a line there with "iptables": false. However since these are effectively default behaviour overrides, you can get away with just that in the file. So my file looks like:

{ "iptables": false }

Then reboot the docker daemon. I guess in hindsight that is a much easier way of doing it and is better for other overrides going forward, but they did an excellent job of informing their long-standing users of the changes.

Fix for BTRFS: open_ctree failed when running root FS on RAID 1 or RAID10 - Arch Linux

This bug is a known issue in Arch Linux, see here

There are also bug reports and discussion filed here and here

The Problem

The bug appears to reside in systemd or mkinitcpio, as the ArchWiki suggests. Whichever process is responsible for disk discovery and identity allocation seems to get itself in a twist with BTRFS on multi-device volumes. Things were fine for me on RAID 1 before I upgraded to my current RAID 10 set up, so the problem may be more prevalent or pronounced on RAID10 deployments.

I followed the suggestion on the Wiki for a fix to no avail. Besides, why would adding 'btrfs' to the MODULES array rather than HOOKS work anyway? The 'udev' hook handles that stuff in place of the 'btrfs' hook, but nevermind.

The Solution

After some experimentation I discovered that if you change the /etc/fstab directive to mount a single device from the BTRFS array rather than using a group identifier like the examples shown below, the system would boot successfully.


LABEL=btrfs_root    /    btrfs etc.etc.etc.  
UUID=fd047936-9253-421a-8d48-219612cb4915    /    btrfs etc.etc.etc.  


/dev/mapper/disk1-root    /    btrfs etc.etc.etc.

But, doesn't this mount only the one disk?...... NO! :) BTRFS is smart enough to discover and/or remember that the one disk is a member of an array. As a result, it mounts the entire pool along with the single device being called by /etc/fstab at boot (see the two snippets at the end of this post for my particular deployment).

So long as the chosen disk survives, everything is fine. In theory I have a 25% chance of that particular disk failing and leaving me locked out and requiring a Live-CD style recovery. If one of the other three fails I should still be able to boot the array albeit in a degraded mode and replace the disk.

If this one particular disk does bite the dust - not a problem. It's not any more complication, really. The solution would be to:

  • Boot into an Arch live memory stick
  • Set the fstab and kernel parameters to degraded see here
  • AND change the disk which is mounted at boot in /etc/fstab - in my case swap out /dev/mapper/disk1-root to /dev/mapper/disk2-root or disk3-root etc.

To close, yes there's a bug somewhere in mkinitcpio or systemd and yes it does add a complication to multi-disk builds which store the root partition on them. It's pretty minor though and hopefully the instructions here will help solve the problem and save people time.

My /etc/fstab (last example is correct)

#UUID=fd047936-9253-421a-8d48-219612cb4915      /               btrfs           rw,relatime,space_cache,subvolid=5,subvol=/     0 0
#LABEL=btrfs_root       /       btrfs           rw,relatime,space_cache,subvolid=5,subvol=/     0 0
/dev/mapper/disk1-root  /               btrfs           rw,relatime,space_cache,subvolid=5,subvol=/     0 0

My BTRFS Array - The other three devices are auto-mounted by BTRFS after disk1-root gets triggered by /etc/fstab.

 root@nasbox ~]# btrfs fi show
Label: 'btrfs_root'  uuid: fd047936-9253-421a-8d48-219612cb4915  
    Total devices 4 FS bytes used 768.09GiB
    devid    1 size 831.51GiB used 385.03GiB path /dev/mapper/disk1-root
    devid    2 size 831.51GiB used 385.03GiB path /dev/mapper/disk2-root
    devid    3 size 831.51GiB used 385.03GiB path /dev/mapper/disk3-root
    devid    4 size 831.51GiB used 385.03GiB path /dev/mapper/disk4-root

[root@nasbox ~]# 

How to Fix Chromium/Google Chrome Black Screen in VirtualBox

The bug is in VirtualBox's Guest Additions, which probably badly translates 3D controls from applications like Chromium and delivers the weird black flickering garbage.

The solution is to simply replace the version of VirtualBox Guest Additions you're using. I found that VBoxGuestAdditions_5.0.10.iso worked fine. Insert the disk into the OS via VirtualBox and do the normal sudo ./ This will remove the existing broken version of Guest Additions and install the working replacement.

Fix for audio sync issues on VLC for Android (May 2016)

Using VLC on Android to watch videos and you get audio sync issues? I knew the files were fine, but every time I started a video on my tablet and scrolled forward or back, the time would be offset by around a second. Many times the sound was off as soon as I played the video 'from cold'.

After some experimentation I found you have to go into VLC-Settings>Hardware Acceleration and ensure it is set to Disabled. In my case it was set to the default 'Automatic' and VLC was trying to use hardware acceleration and getting it's sync messed up.

Even the VLC app says hardware acceleration is experimental, just make sure it's disabled.

Fixing Natural Scrolling in Arch Linux

Due to my habit of switching between desktop environments semi regularly, including GNOME-based ones, multiple configuration files exist in my ~/.config/ governing the same things. In this case, my mouse scrolling.

I was never able to figure out which files were conflicting with each other, but this answer on AskUbuntu worked for me first time, system-wide.

Pebble Time opens port 9000/tcp6 on Android Devices

Pebble Time opens port 9000/tcp6 on Android Devices

Did a port scan the other day and was surprised to find my phone was listening for connections on the LAN. Port 9000 on tcp6, which Nmap decided to call CSListener.

Nmap scan report for Host is up (0.0072s latency).
Not shown: 999 closed ports
9000/tcp open cslistener
MAC Address: C0:EE:BE:EF:BQ:15 (OnePlus Tech (Shenzhen))

Googling didn't turn up much so I ran an adb shell to the phone.
Turns out that the process occupying the port was the Pebble Time app.

root@A0001:/ # fuser 9000/tcp6 1417
root@A0001:/ # ps | grep 1417
u0_a123 1417 253 1779444 105092 ffffffff b6db5340 S
root@A0001:/ #

Then I remembered seeing an option in there ages ago about allowing developer access, which I did when I was playing with creating tutorial apps for the watch. The 'Developer Connection' was still switched on, turning it off kills the listener on port 9000.

Pebble Time App

Docker, Arch Linux, and User Namespaces

Docker, Arch Linux, and User Namespaces

I recently tried to run Jess Frazelle's Chrome Docker image, she explains how to do that here. Whilst there is a little bit of understanding needed with what's going on (such as passing X11 through from the host to the container), it's pretty simple.

However, Chrome seemed to break for me every time. At first I couldn't work it out, but help in this Issue Thread showed that the lack of User Namespacing in my kernel was the problem.

The stock Arch Linux Kernel for some reason doesn't seem to have User Namespacing built in. Chrome needs this. The reason Chrome needs this is that the sandboxing security feature needs to utilise namespacing segregation to isolate web page processes. The idea being if they can't interact with anything outside the container, it minimises risk to the other processes on the system.

Unfortunately to enable User Namespacing, you have to enable the feature in a kernel config file and rebuild your Kernel. This isn't an easy process but the Arch Build System can help.

To test you've got User Namespacing enabled successfully, check zgrep CONFIG_USER_NS /proc/config.gz it should return CONFIG_USER_NS=y. Anything else means it is not enabled.

My config.gz for Kernel 4.2.5-1 is here

The image below shows I've got Chrome running in Docker fine now. You can also tell from Archey that I'm running the custom kernel.

Picture of Chrome Running

Using UFW on Fedora

Using UFW on Fedora

When switching to Fedora I was disappointed to find that there was no support for using Uncomplicated Firewall, something I enjoyed on Arch Linux. Although it is not in the Fedora repos, it can still be installed and used.

  • Download the UFW source code from Launchpad
  • Unpack and install the source code. Do this with the traditional 'Untar, Configure, Make'. If you are unfamiliar with compiling software from scratch, the README in the download explains, and a quick google will explain further.
  • Once installed, run systemctl stop iptables to stop the regular iptables firewall process. Do the same for any Fedora Firewall tools like FirewallD systemctl stop firewall.
  • Enable UFW! sudo ufw enable
  • Add your rules as usual! e.g ufw allow 22/tcp, ufw limit 22/tcp
Solution: KDE 5 Plasma - Massive Fonts after upgrade

Solution: KDE 5 Plasma - Massive Fonts after upgrade

After running a full system upgrade on Arch Linux, all of my desktop environments save MATE were using a massive font size. This made all the windows balloon up as if I were running with 640×800. Part of the upgrade must have damaged/corrupted/replaced a global font config file (if any such thing exists).

The solution to get back to the normal font DPI (96 for me). Is to load System Settings > Font (at the top) and then “Force Fonts DPI: ”. In my case, 96. Doing this and then re-logging solved the problem.