I’ve been doing more video processing lately, some of it HDTV quality, this was really demonstrating that 2GB was not nearly enough RAM for my system. Memory prices have dropped a lot since I did my frugal upgrade, at the time (early 2010) I spent $54 on a single 2GB stick. The other day I picked up 2x4GB for a mere $35 from CanadaComputers. Sure we’re now 2 years later, but to get four times the RAM for less?

In general I’ve had good luck with Patriot products, and looking at their warranty it looks like the have the standard limited lifetime warranty you’d expect.

My motherboard has 4 slots for RAM, so I could have left the 2GB stick in and added the two additional – but I decided against mixing things up. I figured 8GB was plenty for now, I can easily change my mind later. Installation was a snap, literally under 10mins including juggling all those cables.

Amazingly I got it right the first time, the BIOS showed me 8GB. Now as I’m running a 32bit version of Linux, I wasn’t surprised that the operating system couldn’t see all of my new RAM.

$ cat /proc/meminfo
MemTotal: 3482728 kB

So Linux can only see 3.3GB, I suspect why the value isn’t 4GB is due to the onboard video stealing some away from the OS.

The obvious upgrade path is to install the 64bit version of Ubuntu. It seems the smart path forward is to wipe and start again, however given that I’ve got a 1TB drive and it’s 60% full that’s going to be a long copy / install process. I mentioned this to a friend at work and he suggested that instead I use the PAE kernel, I’m glad he suggested it.

Physical Address Extension (PAE) is very easy to add to an existing 32bit Ubuntu installation. Assuming you’ve got a CPU that supports the feature (and with any current hardware you will), it’s a simple one line install.

$ sudo aptitude install linux-generic-pae linux-headers-generic-pae

After the install, a quick reboot and we’re running the new kernel. If you’re doing a clean install, recent versions of Ubuntu automatically add the PAE kernel if you’ve got enough RAM.

Now we can see all of the RAM

$ cat /proc/meminfo
MemTotal: 8072420 kB

This works out to 7.7GB, again some I believe is donated to the onboard video.

Why might you want to use PAE instead of running a 64bit version? If you elect to use 64bit mode, then all of your memory pointers need to be 64bits wide (aka double the 32bit size). This can cause some serious memory bloat depending on the type of application.

It should be no great surprise, but there is some work involved in getting applications to work in 64bit environments. For some applications, recompiling is all that is needed – however many have hidden dependencies on certain data structures being 32bit in size. It is for this reason that lots of software is still stuck back in 32bit – the mitigation is to run 32bit compatibility libraries.

With PAE, while the kernel can see all of the memory (up to 64GB) – each process is still limited to 32bit addressing (4GB max). You also miss out on some of the 64bit extensions to the instruction set, so you are leaving a little bit of performance on the table.

When I get around to doing a full wipe and re-install, I’ll likely move to a 64bit version of Ubuntu as it seems to be the recommended approach. I’m certainly glad I can put that off for a while longer and use PAE to get access to the increased memory with almost no effort.

I own the domain lowtek.ca and host a couple of personal projects as well as this blog on it. One of the areas is behind a password and that part of the site I redirect over to https to ensure that the communication is encrypted. While the whole Certificate Authority infrastructure has currently become questioned, the value of having a SSL connection between your browser and (hopefully) a specific destination machine still has value. I found a humorous youtube video that describes SSL basics if this is new to you.

If you were watching the tech news, you’ll have seen several of the CA’s had security breaches. Even StartSSL which this post will talk about using had some issues, but it seems that it wasn’t as bad as the others. There has even been some research into how to attack / break SSL entirely. The web is a scary place if you think too much about this stuff. Today SSL is the most convenient web security story there is, and for the most part it works well enough.

For most people hosting personal websites the simple path is to use a self signed certificate.  The one downside to this is that whatever browser you are using will not recognize the certificate as valid, you’ll either be prompted to download and remember it – or just trust it for this one session. The manner in which browsers trust commercial web sites https connections is the certificates are issued by one of the root CA’s (Certificate Authority). The CA is a trusted 3rd party which the browser can check with to validate the certificate the website is offering up.

Ubuntu has some guides on creating certificates. What I’ll try to do here is provide a specific example of using StartSSL to generate a free certificate that is accepted by most web browsers. Much of the details come from another blog that I referenced when creating my StartSSL certificate.

You’ll probably want to use FireFox. The web interface at StartSSL.com can be a bit finicky and FireFox is known to work – I used the somewhat old 3.6.25 version. Of course the first step is to sign-up and create an account on StartSSL. They use email confirmation and my greylisting caused a bit of a hiccup here, waiting a few minutes and resubmitting the sign-up succeeded just fine. Then there will be a wizard that takes you through the rest of the sign-up process.

At the end of your account sign up you’ll be encouraged to back up the client certificate that has been installed into your browser. As I understand it, they use the client certificate as a form of authentication that it is really you they are connected to. The FAQ has details on backing up the client certificate. If for some reason you lose your client certificate they have a FAQ for that too.

Next we want to return to the “Control Panel” and use the “Validations Wizard” to do the “Domain Name Validation”. This will require another email validation to ensure that you are the owner of the domain (you’ll need to be able to receive email for that domain).

Now we can actually create a certificate. There are pay options for certificates, but we want to use the free version. Use the “Certificates Wizard” to create a “Web Server SSL/TLS Certificate”. Again I’ll reference the very useful blog post from jasoncodes.com that describes this set of steps (I will replicate here for completeness).

The first step of creating a certificate we can skip, as we plan to create our own Certificate Signing Request (CSR) locally. Execute the follwoing on your server, obviously replacing mydomain.ca with your domain name:

openssl req -new -newkey rsa:4096 -days 380 -nodes -keyout mydomain.ca.key -out mydomain.ca.csr

There will be several questions posed to you during this, here is a dump of the questions and some example answers:

Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:YourStateOrProvince
Locality Name (eg, city) []:YourCity
Organization Name (eg, company) [Internet Widgits Pty Ltd]:SomeName
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:mydomain.ca
Email Address []:secret_email@mydomain.ca

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Some of the answers can be blank as should be evident above. If you’re having trouble with the 2 letter country codes, check on wikipedia. I did find a reference that suggested that the common name must exactly match the host name of your server, you might note that I’m not using a www prefix here. This will allow me to re-use this same certificate for email and other things in theory, it also follows the no-www approach. I opted to leave the challenge password blank.

The second step of the wizard on StartSSL for creating a certificate will ask for a cut & paste of the mydomain.ca.csr we just created. Paste the entire contents of the file in, and move on to the next step where you should see that the request was received.

Moving along the next step is to “Add Domains”, since we’ve only validated one domain this should be easy. As part of this process it will ask for one sub domain. I used “www” since that will still resolve correctly to the lowtek.ca domain.

The remainder of the steps should be straight forward, you’ll arrive at the “Save Certificate” screen. You’ll want to save three things: 1) Text box contents as mydomain.ca.crt, then save-as the 2) intermediate and 3) root CA certificates (last two should be sub.class1.server.ca.pem and ca.pem respectively).

Now we need to install into Apache2. I’ll assume you’re running Ubuntu.

We’ll start by copying the .crt and .pem files we saved from the final step on StartSSL into the /etc/apache2/ssl directory. We also want the .key file that was created when we made our CSR copied to the same directory.

Again I must credit jasoncodes.com, this is almost verbatim from his site. Run the following as root.

cd /etc/apache2/ssl
mv ca.pem startssl.ca.crt
mv sub.class1.server.ca.pem startssl.sub.class1.server.ca.crt
cat startssl.sub.class1.server.ca.crt startssl.ca.crt > startssl.chain.class1.server.crt
cat mydomain.ca.{key,crt} startssl.chain.class1.server.crt > mydomain.ca.pem
ln -sf mydomain.ca.pem apache.pem
chown root:root *.crt *.key *.pem
chmod 640 *.key *.pem

Now we need to modify the apache config file /etc/apache2/sites-available/ssl and add the following within the <VirtualHost> block:

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/mydomain.ca.crt
SSLCertificateKeyFile /etc/apache2/ssl/mydomain.ca.key
SSLCertificateChainFile /etc/apache2/ssl/startssl.chain.class1.server.crt

Check that your Apache config parses as valid:

apache2ctl -t

And then restart Apache with the new config:

sudo /etc/init.d/apache2 reload

Here is the the verification process verbatim from jasoncodes.com:

Run the following after restarting Apache to check the certificate chain:

echo HEAD / | openssl s_client -connect localhost:443 -quiet > /dev/null

You should see something like:

depth=2 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0

A depth of 2 and a return value of 0 is good. If the certificate chain is wrong, you’ll probably see something like:

depth=0 /description=12345-ABCDEF123456/C=XX/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN=host.example.com/emailAddress=hostmaster@example.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /description=12345-ABCDEF123456/C=XX/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN=host.example.com/emailAddress=hostmaster@example.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /description=12345-ABCDEF123456/C=XX/O=Persona Not Validated/OU=StartCom Free Certificate Member/CN=host.example.com/emailAddress=hostmaster@example.com
verify error:num=21:unable to verify the first certificate
verify return:1

I was pleased to see that it all verified correctly for me. Visiting https://lowtek.ca resulted in a green lock icon under Google Chrome.

The StartSSL certificate expires in 1 year, so next year around this time I’ll be doing the same process. There is another CA (AffirmTrust) I came across that offers free 3 year certificates, I have no experience with them but would be interested to hear if anyone tries them out. There is CACert as well, but it doesn’t appear to be included in any of the browsers – limiting the usefulness of a certificate from them.

I’ve been running Ubuntu as my home desktop for quite some time, and it’s been at least a couple of years since I did a clean install. I’ve moved motherboards and drives over that time and upgraded the distribution many times. Generally the upgrades resulted in improvements. Moving to 11.04 (Natty Narwhal) resulted in a change to the new Unity interface, I had seen and used it previously on a netbook so it wasn’t completely new to me. Having only recently upgraded to 11.10 a few things busted which I’ll write about here. I’ll focus on things that I noticed breaking between 11.04 and 11.10, but some of the tips will apply in general.

Some of these issues will be due to my avoidance of doing a fresh install, if you’re really stuck – make a backup and do a fresh install and work forwards. One day I’ll get organized enough to build a script that lets me restore my preferred state “fresh” from a clean install – a lot of that script could likely be built by introspecting the current install. More likely is that people will push most of their data into “the cloud” and the desktop will become pretty much throw-away. My Android phone is starting to work a lot like that it seems (but I rebuild it from a clean install more often than I want to admit).

Issue 1 – Automatic login. I rarely reboot my machine, but when I do I don’t want to be bothered with a login. For my personal desktop I’m ok with the less secure mode (work is a different story). This busted in 11.10, fortunately the fix was out there.

Search for "User Accounts" application. Select the account you want to autologin Toggle the Automatic Login switch to On

Issue 2 – Suspend stopped working in 11.10, well as I rarely reboot/power off – I need my machine to suspend. Attempts to suspend would appear to almost suspend, but immediately resume to the lock screen. Looking at the log file /var/log/pm-suspend.log helped me spot something odd:

Running hook /etc/pm/sleep.d/05_xhci resume suspend:
FATAL: Module xhci not found.

The log didn’t indicate this was causing a problem, but it seemed suspicious. I had added this file when I got the Core i3 as suspend wasn’t working. Well, it turns out removing this file fixes my suspend problem.

Issue 3 – I now needed to disable the lock screen on resume. This took a bit more digging to find the solution to, but again it was very simple once I found it. Simply run the following in a terminal.

gsettings set org.gnome.desktop.lockdown disable-lock-screen 'true'

In 11.10 the default mail application is now Thunderbird, which I used to use back when I was on Windows XP but stuck it out with Evolution when I moved to Ubuntu. I haven’t switched so I’m still on Evolution, but it’s clear Evolution isn’t quite right in 11.10 or the settings migration due to change in db shape was busted. I’ll have to sort that out at one point.

When I moved over to Unity in 11.04, I was missing a couple of the nice task bar indicators. I found Caffeine 2.2 to give me support for disabling auto sleep, and System Load Indicator 0.2 for some stats on the task bar.

I’ll toss out one other link to tweaks by Steve Klondik, I didn’t use any but it was a good reference.

WordPress allows you to do some simple URL rewriting to push people to whatever you want, and I had configured things to push visitors to www.lowtek.ca/roo since the ‘www’ seemed like the right thing to do. I never really thought much about it until I came across no-www.org.

No-www.org strives to make the Internet and communications about it as fruitful as possible. To that end, we make the modest proposal that website makers configure their main sites to be accessible by domain.com as well as www.domain.com.

This makes a lot of sense, and any site that supports they consider a Class A site. They define a further level of no-www support as Class B, and consider this optimal no-www compliance level. There is also Class C, but is not recommended.

Thus lowtek.ca has been a Class A compliant no-www site all along. However just the other day I switched things around to be Class B – allowing both www.lowtek.ca and lowtek.ca to work, but redirecting people who visit www.lowtek.ca to simply lowtek.ca. I had two reasons that motivated me: 1) lowtek.ca is shorter 2) I’m working on getting a SSL certificate and having the short name allows me to reuse it for other things (like mail) if I want.

To make the change I needed to address a couple of things. First step was to go to all of the wordpress blogs I host and change the General Settings to make sure wordpress wasn’t going to try to rewrite the URL to have a www prefix. Failure to do this will result in a broken site as you get a rewrite/redirect loop.

Next I had to do battle with my apache configuration. This is something I’m sure would be easier if I was a better web server admin. I ended up adding the rewrite rules to the sites-available definition(s) I use, one for normal HTTP and the other for HTTPS. Many suggest using .htaccess but I would rather this was codified in my actual apache config files.

The no-www.org FAQ has a rewrite rule, but I ended up using

RewriteCond %{HTTP_HOST} ^www.lowtek.ca$ [NC]
RewriteRule ^(.*)$ http://lowtek.ca$1 [R=301,L]

The [NC] specifies ‘no case’, ie: case insensitive. The R=301 specifies that we’re redirecting, and the HTTP code is 301 ‘Moved Permanently‘. The L indicates this is the last rule, as you can have multiples.

Now my domain validates with no-www.org as a Class B implementation.

There is a downside to the no-www movement, but only for larger sites. This is likely why Google continues to have a www prefix. Cookies that are set from domain.com can be read by anything.domain.com. For small sites like mine, this has no impact, for larger sites it could be a problem.

I had setup a RAID1 system using two 1TB volumes, I had decided to split the 1TB mirrored volume into 300Gb/700Gb so I could limit the space used by backups to 300Gb. In hindsight this was a silly idea, and it also made the migration process more complicated. If I had placed the 300Gb volume second, it might have been feasible to move that data somewhere then expand the 700Gb volume to fill the remainder of the drive – but I had put the 300Gb volume first. One day someone will write the utility to allow you to shift the start of a volume to the left (towards the start of a drive).

Instead of sticking with a RAID1 setup, I decided to move to RAID5. While there is a little less redundancy with RAID5, the additional flexibility seems like a good trade off to me at this point. I’ll avoid getting into the religious debate over which type of RAID you should use, or if RAID makes sense at all with large sized drives. Also there are some good off the shelf solutions now such as Drobo or QNAP.

With a project like this it is a good idea to make a plan in advance, then log your steps as you go along. Migration of 100′s of Gb of data will take time, lots of time. I did the work over about 5 days, some of it while on a trip outside the country (remote access!). Here was my plan:

1. install new drive – ensure system is happy
2. break mirrored set – run in degraded mode
3. repartition new drive & unused mirrored drive
4. create degraded raid 5 (2 drives only)
5. copy data from degraded mirror onto degraded raid5
6. decommission degraded mirror & repartition
7. add volume to raid5 set

I also was careful to check that the new volume had the same capacity as the other two having been bit by that in the past. (I used fdisk -l /dev/sde to get the stats of the drive)(...)
Read the rest of How To: Migrate from Raid1 to Raid5 (535 words)

RAM is one of the most important aspects of your computer system, but spending a lot on fast RAM is usually not worth it – better to get more RAM that is cheaper. I’ll frequently just buy whatever is cheapest that meets the specs I need.

Back in 2006 when I bought a refurbished Mac Mini (G4) from Apple it came with 512MB of RAM. The PPC Mini was limited to a single RAM slot, and 512MB was ok – but not really enough.

For Macs there was RAM specially tagged as compatible, or I could go the aftermarket route and just buy some RAM with the same specifications. If my memory is correct, the price delta was 30% or so. In the end, even at the premium price (about $100) the 1Gb of RAM I needed wasn’t a huge expense so I went for the guaranteed to work. The memory arrived, it worked fine until just recently.

The mini stopped booting, running a memory test resulted in it indicating the RAM was bad (I thought maybe the hard drive had gone). As Kingston has a lifetime warranty I figured it was worth seeing if I could get a free replacement (vs. a $30 price for a new unit at todays RAM cost).

Wow! Kingston’s support/warranty process is amazingly good.

I called and almost immediately got a real live person. It was really hassle free, they asked why I thought the RAM was bad and I said I had run a self test on it – and that was it. I was immediately in line for a RMA #.

The RMA process is really slick. Once you get the right documentation from Kingston (via email!) – you only need to package the RAM and drop it off at a FedEx location. Kingston picks up the cost of shipping it both ways.

The shipping was fast (and free to me):
Oct 4, 2011 9:45 AM Delivered FOURNTAN VALLEY, CA
Oct 4, 2011 8:57 AM On FedEx vehicle for delivery COSTA MESA, CA
Oct 4, 2011 8:03 AM At local FedEx facility COSTA MESA, CA
Oct 4, 2011 5:59 AM In transit LOS ANGELES, CA
Oct 4, 2011 4:04 AM Departed FedEx location INDIANAPOLIS, IN
Oct 4, 2011 2:04 AM International shipment release INDIANAPOLIS, IN
Oct 4, 2011 12:27 AM Arrived at FedEx location INDIANAPOLIS, IN
Oct 3, 2011 10:44 PM In transit MIRABEL, PQ
Oct 3, 2011 8:04 PM In transit OTTAWA, ON
Oct 3, 2011 6:23 PM Left FedEx origin facility OTTAWA, ON
Oct 3, 2011 5:16 PM Picked up OTTAWA, ON


A brand new stick of RAM arrived on my doorstep on October 12th (again via FedEx). It was amusingly over packaged (as you can tell from the photo at the top of this post). Of course it works perfectly.

Sure I paid Kingston a premium form Mac specific RAM, but that was back in 2006. To get such red carpet service 5 years after I bought something is really amazing. Their warranty also covers the regular ValueRAM etc, so you should get similar great service. They usually have very good pricing on their RAM, but given my experience with the warranty even if they aren’t the best price it will be tempting to spend a few bucks more to get Kingston.