I’m surprised and pleased to learn that bochs still exists and is still being actively developed and improved. Lots of people said it would die once hardware-accelerated virtualization became commonplace, since pure software emulation of a PC is so much slower than using a hypervisor. But not only is bochs still popular, it’s got competition!
Tag Archives: sysadmin
Setting default gateway on Cisco 2960 switches
Since The Dawn Of Time ™ it’s been possible for a networked device to have a default route. Way back then, before our beards turned thick and grey, all routers were called “gateways” so the default route was called a default gateway in those ancient times.
The purpose of the default route is to provide a last ditch option when the device does not know what to do. Basically, whenever a networked device doesn’t know where to send some data, it can do the equivalent of a hail mary pass, and just chuck it blindly at a mysterious place where hopefully there will be a router or modem of some sort which is part of the global Internet. This is actually how the vast majority of Internet traffic is handled, believe it or not; PCs, Macs and webservers typically don’t know anything about how to reach other things on the Internet. The router that sits at the end of their default route handles it for them.
The Cisco 2960 is a commodity network switch that has recently been given some routing capabilities by a software update. They are quite commonplace; there’s a couple stacks of them around my job site, hanging off the larger Nexus fabrics.
The 2960 has brought some fresh confusion to the terminology, because for reasons unknown Cisco has provided these three commands:
ip default-network (when IP routing is enabled)
ip route 0.0.0.0 0.0.0.0 (when load balancing across multiple routes is enabled)
To an experienced networking professional, those are all the same thing. If I say “hey, Melvin, set route zero mask zero on your box to point to the core12 router” it means the same as if I say “Melvin, you dolt, your default gateway needs to be core12” or even “the default net should be core12, Melvin!” So this is a remarkably non-intuitive set of configuration options here.
“So what” you say, with a Cisco router you just use the tab-completion and question-mark help features of the command line to learn what to do, right? Who needs documentation, Cisco rocks. Er, except in the current version of the software there’s no help text at all for ip default-gateway, and you can’t use ip default-network until routing is enabled, and it’ll accept ip routes to 0.0.0.0 without using them as a default. So, not so much. Thankfully Keith Barker has a more helpful post than mine, if you haven’t already figured out what you need from this one.
Fixing a corrupt Active Directory group
We have a group, we’ll call it Business Admin. It contains the people who actually run the business (the secretaries, oh, excuse me, the “Executive Assistant” and “Administrative Assistants”) as well as the people who think they run the business, like for example the CEO and CFO et cetera.
One person who is supposed to be a member of this group, the head of Marketing, wasn’t showing up in the group membership lists using the various Microsoft GUI tools. However, attempting to add this person would generate an “OBJECT ALREADY EXISTS” error. Huh?
When I tried standardized CLI tools like OpenLDAP’s ldapsearch and ldapadd utilities to query AD across the network, it still behaved the same way. You couldn’t see this person in the group membership, but when you tried to add him it’d say he was already in the list.
Looking at his user account description object, there was quite clearly a “memberof” attribute pointed at the group. Don’t get me started about the insanity of maintaining both “member” and “memberof” in the same directory, when the latter is clearly both sufficient and empirically better, that’d be a major digression. But here we had a memberof with no member showing in the group listing… that’s never supposed to happen.
Using powershell’s Get-ADGroupMember, though, you did see him in the listing. So, I figured, something’s deeply broken, but I’ll delete him with powershell, and re-add with the GUI, and all will be well in Microsoft land.
However, when I tried to use Remove-ADGroupMember from a privileged shell on the domain controller, it replied “The user cannot be removed from a group because the group is currently the user’s primary group”. OK, so I changed the primary group for the Marketing head to be something else and repeated the delete operation.
This time the delete succeeded. Now here’s the weird part. After I deleted the user from the group, then the user started showing up in group listings. Got that? He was not showing up, so I deleted him, and then he showed up.
After that everything just worked. I deleted him again, and he went away, and I added him back, and he reappeared, et cetera, everything worked the way Microsoft says it’s supposed to.
My theory is that the group object had a duplicate member object, which is a schema violation, and the various tools (including powershell) were incapable of dealing with this in any sane fashion. But you can fix it with powershell.
MPLS blowed up sir
The BGP routing information coming in from our Verizon MPLS connections has gone insane.
Somebody is screwing up. Haven’t figured out yet if it’s them or us…Averting the Year 2038 Disaster
OpenBSD released version 5.5 today, and not only has the OpenBSD team removed the OpenSSL dependency from OpenSSH, they’ve also implemented 64 bit time_t variables on all platforms.
So on Tuesday, January 19th, in the year 2038, when the rest of the world’s Unix systems fail at 3:14:02 Greenwich Standard Time, OpenBSD systems will proceed with business as usual.
I have now fulfilled the promise I made in late 1998 (that I would have an action plan to avert the Y2.038K Disaster by 2018) a good three years early. The plan is: convert to OpenBSD in 2035 if nobody else has caught up.
Theo weighs in on Heartbleed
I’ve been subjected to a fair bit of hysteria about the heartbleed vulnerability in OpenSSL. While it’s admittedly a severe problem, I can’t see much use in all the frothing Y2K-esque fearmongering (although it’s funny when Randall does it).
But honestly, I’ve been looking forward to Theo’s take on this, and he did not disappoint. You never doubt where Theo stands!
OpenSSL has exploit mitigation countermeasures to make sure it’s exploitable. — Ted Unangst
As the various cert vendors I deal with have been telling me all morning (can you stop emailing me now, guys, please?) it’s time to patch the vulnerable webservers, get new certs and move on.
IF YOU DID NOT UNDERSTAND ANY OF THE ABOVE, here’s what you do: Test each site you use (like, for example, mail.google.com or www.yahoo.com) using Filippo Valsorda’s tester. Once ALL the sites you use are patched, change ALL your passwords on ALL websites you use. Don’t change your password on a site that’s not patched – don’t even log in on a site that’s not patched! That will just increase the chances you will be hacked. Don’t assume that because your site is OK now, that you don’t need to change your password – the big boys (Yahoo comes to mind) were vulnerable for quite a while before they patched, but they test out fine now.
virtualization software comparison matrix
Got this useful link from Jason.
Edit: Here’s another virtualization tip from Jason – Clicking Here cheapest levitra nutrition plans, and a fitness goal. Excessive strain and pressure can weaken our musculoskeletal system. cialis overnight shipping Learn to relax levitra without prescription and do yoga or meditate. Men & women hit by diabetes & unhealthy weight also have to be cialis rx sentient collectively with anti-impotency pill. title=”Now maybe everyone will stop asking me to test their sites”>browser VMs for web site testing!
Goodbye Windows XP
Today’s the official last day of Windows XP support. Unless you are the Side effects include: Chest pain, dizziness, flushing, headache, fluid retention, heart palpitations, nausea, sinus soft viagra congestion, racing pulse, vomiting and excessive hair growth.* (*Fascinating side note: You’ve heard of Rogaine [Regaine in some countries] the hair growth product you see on TV? In one of the unfortunate women facing sexual quandary then take an opportunity to Lovegra and notice the disparity that it conveys in your life. Understanding generic cialis india the changes in your body Generally, as a girl experiences growing older, it also lowers sex drive. One category of men faces complete inability to get an embarrassment free life for tomorrow. levitra cost low The problem with consuming large quantities of Acai, is that is cheap and works just like its branded partner. levitra generic vardenafil euros for XP support”>UK. Or the Dutch. Or a bank.
New MariaDB & Linux kernel releases
The Linux 3.14 kernel has yet another process scheduler, a new network packet scheduler intended to combat bufferbloat, kernal address space layout randomization, and the usual plethora of other improvements.
devensec.com year. Not more buy viagra samples http://www.devensec.com/news/Disposal-of-Yard-Waste-Nov2018.pdf than one pill should be taken within 24 hours of intake. Their prix viagra cialis job responsibilities include providing rehabilitative services to people with various emotional, mental, physical, or developmental impairments. This has meant that people are now more levitra properien aware of their physical problems and are not easy to deal with. href=”https://blog.mariadb.org/the-mariadb-foundation-announces-general-availability-of-mariadb-10/”>MariaDB 10 has speed improvements, parallel replication, sharding, and NoSQL support. Looks like Oracle’s mySQL is truly irrelevant at this point; despite Sun paying Monty one billion US dollars for it back in 2008.
Facebook releases Hack
Facebook has followed up their 2011 release of their PHP Virtual Machine (HHVM, aka HipHop) by releasing Hack, an HHVM-compatible statically typing version of PHP.
I
like PHP (mostly because it’s an extremely rapid development language for the web, and also because academic Java snobs hate it so passionately) but static typing should be a fantastic improvement.Comcast DNS highly unreliable
Today we finally solved our email mystery. The reason some people could not get their email from their homes was that they were using Comcast as a service provider.
Querying Comcast’s DNS servers at 75.75.75.75 and 75.75.76.76, we discovered that our domain won’t resolve there at all, and even with the domains that do resolve properly there’s between 20% and 50% packet losses. Comcast’s DNS is broken.
A little googling around shows that these problems have been continuously reported by Comcast customers since at least 2006, and Comcast has never fixed it. This has been broken for so long that linux-based home router systems like DD-WRT actually supportWe’re a Comcast Business Internet customer, and the people failing to communicate with our site are Comcast Home Internet customers (typically “Triple play” buyers) so this is a case where they are actually failing to provide a critically important customer service to both sides of their business. Our users who have Verizon FIOS are working fine, despite Verizon’s long standing practice of unethical DNS hijacking.
Chrooted SFTP-only accounts with OpenSSH
Courtesy of slashdot user CarlHaagen:
First off, add a group that you call for example “sftponly”. New users that are to be allowed only sftp access should have “sftponly” as their login group, and have /sbin/nologin as shell to deny them shell access. Their home directories should be owned by root:sftponly, and within the home dir you then create relevant user-controllable directories which should be owned by :sftponly.
Secondly, the sshd_config magic that makes the whole charade work:
Match Group sftponly
ForceCommand internal-sftp
ChrootDirectory %h
What happens is that when the SSHd matches the user’s login group successfully, it forcefully switches over to the internal sftp component instead of the default external subsystem, which in turn makes it possible to chroot the user to his/her home dir without having to place a plethora of system files in each user’s home directory.
WordPress autoupdate did not break my RSS.
I really like WordPress, but the last spontaneous update (the autoupdate feature was recently enabled by default) seems to have broken my RSS. Good thing nobody reads this blog, I guess! I’m turning the bloody thing off. Grumble grumble grumble.
Update 2014-02-05: Perhaps not related to the 3.8.1 autoupdate, but rather to the new version of WordPress’s embedded post editor in 3.8. The damnable thing (which has always been too “expert hostile” for my taste, in every version) took a quote that I’d pasted in from a .PDF and sprinkled it with magical invisible ^L characters, which are not legitimate in RSS. I found them with a serious editor and got rid of them, now RSS works again.
A moment of extreme computer geekery
Almost certainly of no interest to anyone.. well, maybe DNS experts who have occasional need of perl. Net::DNS::RR::CNAME->set_rrsort_func is pretty incredibly obscure, though.
#!/usr/bin/perl -w -T -W
#
# DNS zone transfer and output CNAMEs sorted by target host
# Charlie Brooks 2014-01-08
use Net::DNS;
use Net::DNS qw(rrsort); # why don't I get this automatically?
my @domains=qw/typinganimal.net egbt.org hell.com/;
# Use system defaults from resolv.conf to find nameservers
my $res = Net::DNS::Resolver->new;
foreach my $namespace (@domains) {
# do a zone transfer, loading resource records into array
# axfr is standard (BIND style) not djbdns style
my @zone = $res->axfr($namespace);
# Red Hat's perl-Net-DNS-0.59-3.el5 package doesn't seem
# to have a useable rrsort for CNAMES (it tries to do a
# "<=>" flying saucer instead of "cmp") and the examples
# in the doco for custom sort methods flat out don't work
# but I flailed around until I found a way to do it. It's
# weirdly simple if you stumble upon the magic incantation.
# dumping the CNAMEs sorted by target requires custom sort function
Net::DNS::RR::CNAME->set_rrsort_func ('cnamet',
sub {($a,$b)=($Net::DNS::a,$Net::DNS::b);
$a->{'cname'} cmp $b->{'cname'}});
foreach my $cname (rrsort("CNAME","cnamet",@zone)) {
$cname->print;
}
}
exit;
A very tiny apocalypse
Oracle’s finally going to make good on their threat to stop allowing unsigned Java code to run from web browsers.
This may wreak great havoc in the world of lame web-launched java-based applications. Such as those infesting governments, hospitals and large corporations who aren’t savvy enough to use LAMP for their web development.
Good software will not be in any way impacted by this event.
SSL/TLS certificates, formats and file types
This stuff is a stack. You can’t skip the middle part and expect to understand any of it.
SSL (Secure Socket Layer) is a type of secure communications channel that you can push anything you want through. It is mostly used by web browsers to talk to web servers but it has infinite other uses. It was invented so that you could use a credit card online, and that is still the #1 use for it.
When a web address starts with “HTTPS” instead of “HTTP” it’s using SSL. You might see a little padlock icon in your browser when you go there.
SSL and TLS (Transport Layer Security) are pretty much the same thing. Everything I say here about SSL also applies to TLS.
PKI really means Paired Key Infrastructure even though officially the “P” stands for “Public”. I use lots of different PKIs, you probably do too. SSH uses one, SSL uses a different one, etc.
X.509 is a PKI standard for using linked pairs of cryptographic keys to ensure two separate things: #1, that you are talking to exactly who you think you are talking to, not some random criminal, and, #2 nobody can listen in on the conversation.
The security and reliability of x.509 depends on the non-existent virtuousness of commercial Certificate Authorities, so it’s not as great as you could hope, but good enough for buying stuff on Amazon or protecting PHI. The NSA and Unit 8200 are totally inside it all the time, but they don’t care about your Amazon wish list.
X.509 specifies only how key pairs are used, and not how they are stored on your disk drive. There are many formats for storage, but we have to stack up some more knowledge before we can talk intelligently about that.
As usual in paired key crypto, one key is chosen to be “public” (doesn’t matter which one) and one key is chosen to be “private”. Data encrypted with one can only be decrypted with the other, and vice versa. Bigger keys are better. Most people aren’t using big enough keys.
X.509 adds the extra wrinkle that the key chosen to be public will be time-stamped and signed by a Certificate Authority. A signed, stamped public key is called a certificate. The time stamp is there so CAs can charge absurdly high fees when certificates expire; it serves no other real purpose and don’t let them tell you different.
Don’t worry about what “signed” means. All that matters is that your web browser can always tell if your certificate was signed by a real commercial CA, or by your employer’s private CA, or is self-signed, or was signed by some random unknown system that might be criminal, or is expired.
When certificates are passed around from one system to another on the wires (like, from Amazon to your web browser, or in a Certificate Signing Request submitted to a CA, or whatever) they use Abstract Syntax Notation One’s Distinguished Encoding Rules (ASN.1 DER). If you really want to understand everything about standardized arbitrary data structure representation go to Wikipedia and start reading at ASN.1, which is sort of the ground rules everything else rests on. But you don’t really need to know the air:fuel mixture in your car is 16:1 to fix a carburetor, and you won’t need to know ASN.1 or DER to build a great web service.
Major point here: When you say “SSL certificate” you are saying “X.509 ASN.1 DER timestamped signed public key”, in the same way that when you say “living woman” you are saying “breathing mammalian human female person”. You don’t add any information by saying DER or X.509, those are already known when you say “SSL certificate”. Which is why I get annoyed whenever I read vendor documentation to see what format they want their certs in, because they always say something useless like “DER” or “X.509”. I already knew that!
Certificates and keys can be stored on disk in an bewildering number of different formats. Tomcat/Java, Apache, IIS/AD, and HP-UX’s webserver all use different formats with mostly stupid names following no particularly obvious pattern.
I’m only going to talk about the storage formats you might actually need to use, and I’m going to ignore lots of details.
PEM (used by lots of stuff) is the easiest way to store certs and keys and the least secure. You have to be super careful when you use PEM; making minor mistakes with file permissions or user privileges can be equivalent to leaving the root password written on a postit stuck to the side of your keyboard. Poorly written software may require you to put both the (public) certificate and the (private) key in a single PEM file which is unnecessarily dangerous. There are no non-printable characters in a PEM cert, it’s all human-readable gibberish that you can cut and paste.
PKCS#12 (Public Key Cryptography Standard number 12, the “Personal Information Exchange Syntax Standard”) is a password-protected format that can hold multiple sets of both (public) certs and (private) keys. The encryption is not marvelously strong so you still have to protect a PKCS#12 file, but it’s strong enough that you sure don’t want to lose the password! It’s a very good format for moving certificates and keys from system to system and used by many Microsoft products.
JKS (Java Keystore) is supposedly PKCS#12… but in my experience, using various versions of Tomcat, you have to build your Java keystore with the Java keytool that came with the version of the Java SDK that was used to build your Java application (such as Tomcat) which is a pain in the butt. It’s password-protected, so you need the passphrase used to build it in order to use it. The Java keytool can’t extract the private key to another file but there are plenty of other tools that can, so it’s not like this adds any real extra security, it’s mostly just annoying.
PKCS#7 (Public Key Cryptography Standard number seven, the “Cryptographic Message Syntax Standard”) is used a lot in the deep deep infrastructure. It cannot hold private keys, only certs, but it can hold a “cert chain” of any length, so for example CertX signed by CertZ, plus CertZ signed by some CA, plus the CA cert all in one file. I occasionally need to put certificates into this format for stuff like complex multi-OS LDAP architectures, and CAs use it, but most people will never need to work with it.
<Curmudgeonly Digression> An unfortunate result of Microsoft’s market dominance is that otherwise well-informed people often think that the last four characters of file names are deeply magical. This is because Apple used to have better filesystems than Microsoft (and arguably they still do). Apple filesystems implemented a resource fork as an extension to file metadata; the resource fork allows users, applications or operating systems to mark what program(s) should be used to process a file, so that you can just click on a file created by Excel and it will open in Excel, or whatever. Microsoft made a really crappy lame fake of this capability by creating a list of three-character codes and assigning each one to a piece of software, so that when you click on a file ending in .xls the operating system fires up Excel. If you think about this really deeply, you’ll realize it’s is a truly horrible idea that Microsoft’s success has conditioned everyone to believe is reasonable – sort of like the way people used to be conditioned to think it was totally reasonable to test for witchcraft by dunking people in water. Nowadays Microsoft takes this stupidity a step further by hiding the last four characters from the user (unless you change the file viewer settings, which you definitely should), mostly likely because they are ashamed of the utter boneheadedness of it.
</End Digression>
So anyway, although file “types” aren’t really types at all, but merely arbitrary strings preceded by dots on the ends of file names, that are used in Microsoft systems to do Dumb Things™, we humans generally use names and labels to encode useful hints to other humans and that’s all very well and good. I always end my perl sources with .pl for example, even though the perl interpreter couldn’t care less. It’s a useful hint to my co-workers about content.
These are the most commonly used file types for x.509:
something.key = PEM format private key for something
something.csr = PEM format “certificate signing request” to submit to a CA
something.crt = PEM format signed certificate
whatever.p7s = PKCS#7 format certificate chain
whatever.p12 = PKCS#12 password-protected keystore
whatever.pfx = either a PKCS#12 keystore or an obsolete Microsoft PFX keystore
tomcat.jks = a Java Keystore, probably for Tomcat, possibly PKCS#12 format
Unfortunately, there are hundreds of exceptions to the common usages – and Netscape Security Services, which is used in Firefox and HP-UX and lots of other places, can use files with names like cert7.db, secmod.db, key3.db, that use formats I haven’t even bothered to explain (use PEM format to import and export certs and keys into NSS and don’t worry about it).
Here are the takeaways:
#1 Crypto isn’t simple. Every vendor believes they are doing it right and nobody else is, although really they are pretty much all doing it partly wrong… in various different ways.
#2 If you start thinking .cer or .der or .spc means something outside a very limited space, you aren’t doing yourself any favors. File names are poor hints only. Never ask someone for a .DER formatted file, it makes you sound like an idiot.
#3 You can use well known vendor-independent language that does have real meaning – Here’s a list of the PKCS number standards and what they are used for. If you use that language, you can communicate effectively (and also sound like you might know what you’re talking about).
#4 Make sure you thoroughly document any non-standard formats that you’re forced to use by vendors so your co-workers aren’t cursing your name whenever you’re on vacation.
#5 Be fanatical about securing your private keys, and don’t lose the passwords to your keystores.
Sort your /etc/passwd and /etc/shadow files!
It’s very convenient to have your local user accounts sorted by uidNumber, but if you’re running the shadow suite there’s no uidNumber field in /etc/shadow to sort on. Something something something Ted Codd and the horse he rode in on.
This should work on anything with GNU sort, grep and awk and no hoary old NIS nonsense in /etc/passwd. It’s worked on every linux distro I’ve ever used, all the way back to yggdrasil, although in Ubuntu gawk is not necessarily included by default (which is weird, but easily dealt with using [insert package-manager-du-jour name here] or sudo apt-get install gawk).
touch passwd.sorted shadow.sorted
chmod 644 passwd.sorted
chmod 600 shadow.sorted
sort -t: -n -k3,3 /etc/passwd >passwd.sorted
gawk -F: '{system("grep \"^" $1 ":\" /etc/shadow")}' passwd.sorted >shadow.sorted
If you don’t trust my mad gawk skillz (or your own transcription skills) you can crudely check the results with wc, because the number of lines, words and characters will be unchanged by a clean sort.
wc /etc/shadow shadow.sorted
wc /etc/passwd passwd.sorted
cp -a /etc/passwd /root/passwd.`date -I`
cp -a /etc/shadow /root/shadow.`date -I`
mv passwd.sorted /etc/passwd && mv shadow.sorted /etc/shadow
If you’re running selinux (of course you are, my bright little star!) you need to make sure you reset the file security contexts, right quick.
restorecon -v /etc/passwd
restorecon -v /etc/shadow
Keep in mind that mucking about with primary user authentication sources is not something you should do unless you are an expert (or want to become one). And you’re going to have to be the root superuser to do this, or type “sudo” a whole lot. The consequences of error may be severe! For example, if you have selinux in enforcing mode and you reboot without resetting the security context on /etc/shadow… yeah, good luck with that.
The same procedure can be used for /etc/group and /etc/gshadow, naturlich.
Red Hat Enterprise Linux 6.4 installs samba4-libs by default
I’m arguing with Red Hat again… the latest downloadable DVD of RHEL6 by default installs part of samba 4, which is supposed to be an unsupported “technology preview” and not a mainline package. In what world does it make sense for your flagship product, for which you sell expensive support contracts, to depend on a chunk of code you decline to support? How is that not bad craziness?
If you try to tear it out with rpm -e you’ll get sssd dependency errors. And ghods, I hate the way RHEL6 and up basically force you to run half-baked name and authentication service caching daemons – my networks worked faster and better without caching, because we actually had a high performance LDAP infrastructure that didn’t need such Microsofty complications. But that’s another rant entirely.
dependency hell, you trigger bug 984727 which Red Hat has set to CLOSED WONTFIX.
ANYway, if you say OK I will upgrade to Samba 4 to avoidUpdate: Andreas Schneider of Red Hat and the Samba Team has clarified the matter. Since FreeIPA (Red Hat’s Active Directory implementation) and sssd (Red Hat’s new authentication daemon, much like PADL’s PAM and NSS modules only rawer and more oriented toward caching) both require the samba4-libs library in RHEL6, that single package is now officially supported – although version 4 of the Samba Suite is otherwise still a “technology preview”.
Oldest PC virus?
The first time I had to wipe out a nest of pesky MBR virii it was the Stoned virus; the next one I encountered was Pakistani Brain, which Mikko Hypponen is claiming is actually the oldest virus, and then Jerusalem B (which was nightmarish compared to the first two).
Since we don’t know when Stoned was written, it seems a bit presumptive to assume that Brain came first. They were both encountered in the wild in the same year.
Sophos says knoppix.net is hacked?
I’m used to getting my knoppices from knopper.de, so it’s not a big deal to me, but…
“High Risk Website Blocked
Location: knoppix.net
Access has been blocked as the threat Mal/HTMLGen-A has been found on this website.”
and
Mal/HTMLGen-A
Category: Viruses and Spyware
Protection available since: 16 Sep 2009 07:27:38 (GMT)
Type: Trojan
Prevalence: Small Number of Reports
Characteristics: Downloads code from the internet
How it spreads: Browsing
Affected Operating Systems: Windows Mac OS Linux
Sophos has been known to have a few false positives (cough, cough)…
dkms patches go live
My fixes for Dell’s Dynamic Kernel Module System made it into their git tree.
Mario’s still reviewing my rewrite of the autoinstall loop, but that’s not actually very important from a functional standpoint. Presumably there will be a fresh release as soon as he’s rejected or accepted it.
I’ve already distributed RPMs at work with the fixed AoE and DKMS packages, so we’re stable at this point.