When evince says ‘Unable to open document "<BLAH>". PDF document is damaged’

During the past few months I’ve been “Docusign”ing things, and the website lets me download the finished document, which is great. But until now I haven’t been able to view them using CLI tools unless I pointed a browser (firefox in my case) at them.

Finally I applied the LMGTFY principle (the 21st century version of RTFM), I did a web search on the message, which eventually led me to this nice article on superuser.com. The short version of The Answer is:

gs -o FIXED.pdf -sDEVICE=pdfwrite  -dPDFSETTINGS=/prepress CORRUPTED.pdf

That↑ worked great for me, though someone recommends instad -dPDFSETTINGS=/default.

Flushing a toilet on SBB CFF FFS intercity trains: a guide for the perplexed

TIL how to do it. Basically, press the "WC" (dark letters on white background) on the wall to the right of the toilet; see image at right.

This was a puzzle on IC5, running between Zürich and Genève. If you know German, the "spülen" (which you can't quite make out on the image) might have been obvious, but I did not know that word until just now.

“Our heat pump water heater isn’t heating!”

Dear Dad,

Last night, Carol called to me from the bathroom: “Our heat pump water heater isn’t heating!” Yep, we had one of those installed. You know, those things that run like a refrigerator in reverse? I still remember your explaining to me how the freon or whatever gets compressed and heated, then sprays into the part of the system inside the fridge, cooling everything. I also remember your telling me that I didn’t know how lucky I was, and you were right—I didn’t. But what I'm thinking of now is how lucky I was to have you as my father.

Anyway, I ran out to the patio, where the heat-pump water heater is, and opened the door to its closet. It was dark, where usually a LCD display shows what it's set to. H’m. I went to the subpanel in the house. The breaker had been tripped—I wondered why. I switched it to ON and immediately heard arcing. Oh no! I quickly turned it off. Why…?

The cover had one screw mostly off? Oh, the sheetrock guy had to remove the cover in order to put the wallboard on. There was joint compound around the edges, too. Right, the bathroom project still isn’t finished. Yes, we’re using a contractor. Unlike you, I don’t do all this stuff myself any more.

I looked closely at the breaker—was it a little cockeyed? It would be easy to accidentally jostle it while removing or replacing the cover.

I pulled out the (30A 240V) pair of breakers, and the one breaker’s “jaws” looked a little too wide; that was somehow unsurprising; it was the one grabbing the, uh, busbar with the dark deposits (from the arcing, I reckon).

No bueno. It was already late, was I going to have to run out and find…? Wait—didn’t I have a spare 30A 240V pair of breakers? Last summer? (fall?), when I thought our old oven might have been the victim of a flakey circuit breaker, I spent the $20 on a replacement pair, which I never installed. Good thing, too; the old breakers were just fine, as proven by the new oven’s flawless operation from day one.

And an even better thing: I had a brand-new pair of breakers to use on the heat pump! I made my way to the garage, found the breakers where I’d left them, and examined them to make sure I correctly remembered their rating. 30A—yes! The jaws had equal (to my eye) and narrow widths, and each pair of jaws also had a little bit of, ah, conductive toothpaste—at least that’s what it looked like—to promote solid contact with its busbar.

Now all I had to do was get the wires off the old breakers and onto the new ones. Wow, why are these screws so hard to turn? Was it because I was using a common screwdriver when I should have been using a square-drive? Modern technology! Fortunately, I had an S2 bit for the cordless screwdriver, which I bought just a couple weeks ago for another purpose. Out in the garage, I found the package exactly where I’d left it (wow, I should buy a lottery ticket). I pulled one off the card (I’d bought a pair) and grabbed my multi-driver tool with the appropriate hexagonal hole (a freebie from when I worked at hp over 20 years ago).

Screws sure turn more easily when you have the right blade. Got the wires off the old breakers and onto the new ones. I might have liked to clean the black deposits off the busbar, but nah, I didn’t want to try figuring out what to clean it with (something not made of metal) and besides, what harm would that stuff do? The conductive toothpaste would ensure a good bond.

Engaged the outer edge of the breakers, then pressed the inner edge all the way in. Turned the breaker to “ON.” Outside, I was greeted by glowing digits: 121°. I headed back in to button up.

I didn’t fully tighten the cover screws, since the joint compound wasn’t dry everywhere. Then I texted my general contractor, asking him to please tell the sheetrock guy that I had to replace the breaker, and that's why I had to touch that breaker panel. He’d certainly be able to tell that I touched it, and I wanted him to know why.

Dad, I’m so glad you taught me all the stuff you did. I truly am a lucky man. I just wish I could still pick up the phone and tell you about this little adventure. You’d commiserate with me and laugh (“Are you saying your wife called to you from the shower, and she just wanted you to fix the hot water?”). You’d agree it was a lucky thing I had not gotten around to returning the unused circuit breakers last summer or fall. You’d congratulate me on the quick diagnosis. I sure would have enjoyed all that. But mostly I would have just enjoyed telling you about it, knowing you understood my thought process.

Love you and miss you, Dad.

Suddenly my automounts don't work... and a hack fix

The server, p64, is debian 11 (bullseye); the client is mac os x (darwin kernel version 23.1.0 Mon Oct 9 21:27:27 PDT 2023. Automounts used to work but somehow stopped, I'm not sure when. I have homedirs on Linux, as /home; I want to read/write the Linux /home as, uh, /home.

After searching frantically, here is something that kinda works. First, on linux:

• sudo systemctl start rpc-statd
• sudo service rpcbind start

Then, on mac os, forget about automounting, just do it manually. As root:
mount -o resvport p64:/home /home
and it all works.

I want to figure out the "real" automounter problem, but right now I just want to do what I sat down to do.

Can't pull Kenmore 790.47892602 builtin oven from its cabinet?

Like the person in this doityourself.com post, I had a problem where the oven stopped heating after being put through a cleaning cycle.

If an ounce of prevention is worth a pound of cure, the prevention is: Never let it clean for more than TWO hours. The default 3-hour cleaning cycle always engages the thermal safety device; the oven won't heat at all until you reset it. Which is a real pain.

OK, for the cure. The overall goal is to reset the safety switch, which in our oven, looks like the photo at left; I reset it by pushing on the red button. The body of the switch is about an inch in diameter (your switch might look different). You get at the switch by pulling out the oven (you will need a stepladder or something to hold it up so it doesn't fall on some body part) and removing a big piece of sheet metal.

How do you pull the oven out? The book says (figure 7, page 6) to use a certain tool (which I don't have or can't find) to release the mounting bracket; see the diagram at right. Since I don't have the tool, I inserted a common screwdriver with a 4-inch blade, ⅛” wide. Insert into one hole, keeping the blade horizontal, and pull that side of the oven out ½–1”. Pull the screwdriver out and repeat on the other side. Where exactly is the hole? In the photo below on the left, my index finger shows where to insert the screwdriver; the photo on the right (or maybe below it) shows what that looks like with the oven removed.

The photo at left shows where the mounting bracket (above) engaged with the oven body; that's what keeps the oven from falling out when you open the door (I mean, even before you try to pull it out).

BEFORE YOU PULL THE OVEN OUT MORE THAN AN INCH OR SO, get a step-ladder or some other piece of furniture sturdy and stable enough to support the oven. There is danger of severe personal injury here. The book says the cabinet must be able to support 200 pounds. Avoid a trip to the emergency room and a lot of awkward explanations! I had both a step-ladder and a sturdy wooden patio-chair, to support two corners of the oven.

Once you get the oven pulled out, you remove the sheet-metal panel on the back. There are maybe 6–7 screws that hold it on: one on top, one on the bottom, and two or three on each side. I think I lost one of the screws on an earlier operation. Two of the screws hold on little black, uh, feet, maybe 3mm thick and maybe 1cm in diameter. I don't know how important they are, but they are there.

Once you remove those screws and stow the back cover (hint: with a black magic marker, write on the inside of the cover: "INSIDE"), you'll be able to reach the thermal switch, highlighted in the photo at right in magenta.

Installation is the reverse of removal.

BE SAFE! Remove the supports only after you get the oven pushed in far enough for the mounting brackets to engage the chassis (i.e. far enough that you can't pull the oven out).

assimilating a new (to us) imac: SMTP mail

So the mac mini is almost a teenager so we got a new box. According to "About this Mac" it's "iMac (retina 5K..., 2019)" running macOS Monterey 12.0.1. I need to get dovecot on it, among other things.

<…time passes…>

OK that was... October maybe? I moved "all" the files with either scp or rsync, upgraded to Ventura, installed crashplan for small business and told it to back up Carol's files (and to stop backing up the old mac mini). Carol's been using the new machine to good effect for a few months now, but I'm still using the mini to fetch SMTP mail from my ISP. The setup is byzantine, and in case I'm still using that email when we replace the 2019 iMac, I'll record how it handles smtp mail for my future self.

Fetching the mail here

The mini runs a "service"... I thought we could "fetchmail -d 60" but how to send password encrypted? It would certainly be bad medicine authenticating in cleartext!

The solution involves an ssh tunnel and a macos "service." Apparently if you put an XML file named somethign.plist in /System/Library/LaunchDaemons/ then macos will run it as root on startup. Mine looked like this:

unknownc42c0321f10e:~ admin$ cat /System/Library/LaunchDaemons/collin.admin.tunnel.plist         
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
		<string>collin.admin.tunnel</string>
	<key>Program</key>
		<string>/Users/admin/tunnel.sh</string>
	<key>RunAtLoad</key> 
		<true/>
</dict>
</plist>
unknownc42c0321f10e:~ admin$ 

OK actually on the mini the username was "postman"; on the imac it'll be "admin" so I'm changing it here.

OOPS... on the iMac, running Ventura, we can't touch /System/Library/LaunchDaemons; instead I had to add the above as /Library/LaunchDaemons/collin.admin.tunnel.plist; I hope it works.

What does /Users/admin/tunnel.sh do? It establishes a tunnel to my ISP, making localhost port 60110 tunnel to the POP server's port 110 for about a minute or two. Then it runs fetchmail. Like this:

#!/bin/bash
ID=$(id -u)
if [[ $ID == 0 ]] ; then
    echo /Users/admin/tunnel.sh | su - admin
    exit 0
fi
PATH=$PATH:/usr/sbin:/opt/local/bin:/usr/bin:/bin
while :; do
        if netstat -an -finet|grep LISTEN | grep 60110 > /dev/null; then
                : be happy
        else
                ssh -f sonic -L 60110:pop.sonic.net:110 sleep 120 & >/dev/null
        fi
        sleep 30                # That should be long enough to open socket
        fetchmail --sslproto "" >> tmp/fetchmail.log 2>&1 &
        FPID=$!
        sleep 120
        kill $FPID
        sleep 10
done

I had a little surprise with the .fetchmailrc: I can't say

poll localhost proto pop3 port 60110 user ISP-username pass ISP-password is admin here fetchall mda "/usr/bin/sendmail -i -f %F %T"

because procmail won't let me fetch from localhost. So I have a hack in /etc/hosts:

127.0.0.1       localhost see.admin.fetchmailrc.invalid

and now fetchmail can, well, fetch the mail.

AND ANOTHER THING... I never used to have to say “--sslproto ""” but it now seems necessary lest I get some SSL error.

Once the mail gets here

… sendmail (or maybe postfix) will try to deliver it, probably to /var/spool/mail/WHATEVER. But we don't want that, so we have to supply a .forward file:

admin@Admins-iMac-2 ~ % cat .forward                                                           
"|/opt/local/bin/procmail"
admin@Admins-iMac-2 ~ %                                                                        

And a .procmailrc, which tries to figure out who the email is addressed to. If there's a header that says
To: collin@<ourdomain>
then that's easy; it's addressed to me.

But what if there's no header like that? What if I'm bcc:-ed? Basically we look for a useful Received:  header. Anyway, the point is, admin's .procmailrc file tries to figure out who the email is for, and then it sends the email to Carol or to me, or to the bit-bucket. It sends the email to us by running /usr/sbin/sendmail, so if I want email processed by procmail, I again have to have a $HOME/.forward, just like "admin" did. And my own $HOME/.procmailrc.

Other stuff

I have to run dovecot on the iMac, but only for Carol's email. She hasn't looked at it for months now, so when she decides to have a look, I'll probably have to figure out how to run dovecot on it.

As for me, I'll nfs-mount $HOME/Maildir from the iMac onto my linux box, which is where I read non-web email. The iMac wasn't exporting any filesystems when we brought it home, so I just did what came naturally: copy /etc/exports from the teen-aged mac mini:

admin@Admins-iMac-2 ~ % cat /etc/exports                                                       
/Users  -network 192.168.1.0 -mask 255.255.255.0

I'll mount that and symlink Maildir there to $HOME/Maildir on the Linux box.

Then I think I should remove /System/Library/LaunchDaemons/collin.postman.tunnel.plist from the mac mini... oh, wait, no, I don't have to do that; I can just make the script do nothing I think.

Then rsync to make the iMac's copy of $HOME/Maildir match the mac mini's copy... for both Carol and me

Admins-iMac-2:~ carol$ time rsync -av 192.168.1.131:Maildir ./
receiving file list ... done
Maildir/
Maildir/log
Maildir/msgid.cache
Maildir/new/
Maildir/new/1673726769.51227_2.unknownc42c0321f10e.attlocal.net
Maildir/new/1673737810.52745_2.unknownc42c0321f10e.attlocal.net
Maildir/new/1673746452.53955_2.unknownc42c0321f10e.attlocal.net
Maildir/tmp/

sent 66405 bytes  received 520272 bytes  7287.91 bytes/sec
total size is 675278927  speedup is 1151.02

real	1m20.414s
user	0m0.292s
sys	0m0.200s
Admins-iMac-2:~ carol$ 

Mine will take rather longer I think...

Then install

upgrade debian stretch → buster → bullseye

I hate upgrades, but python3 on my debian stretch box doesn't grok f-strings, because its python3 is python3.5; fstrings were added in python3.6. It’s been a couple years since I upgraded to stretch (debian9), and security updates have just been discontinued, so I thought, why not skip buster (debian10) and just upgrade to debian11 (bullseye)? Then maybe I could wait four years rather than two before having to do it again.

Of course I didn't see any instructions for a 2-release upgrade, so the first thing was to upgrade stretch to buster. I basically followed the instructions in this article. As root:

• change “stretch” to “buster” in /etc/apt/sources.list
  Casting all caution to the wind, I skipped the part about making a backup
• apt-get update; apt-get upgrade; apt-get dist-upgrade
• reboot

That’s all I did. There was one surprise: thunderbird complained about not being able to connect to “mini1” but I had no idea why. I did, however, try to ssh there from my now-buster desktop; passwordless ssh failed. “ssh -v” showed me that I had the wrong kind of keys now, so I regenerated keys on mini1 (a mac mini), added the the contents of .ssh/id_mini1.pub mini1’s .ssh/authorized_keys, and copied the private key into .ssh/id_mini1. Things started looking better. But thunderbird still said it couldn't connect to mini1. Why was that? The server settings said it was connecting to 127.0.0.1:143; was I running dovecot locally? I had to be, right? Yes, according to /etc/dovecot/dovecot.conf:

 26 # A comma separated list of IPs or hosts where to listen in for connections.
 27 # "*" listens in all IPv4 interfaces, "::" listens in all IPv6 interfaces.
 28 # If you want to specify non-default ports or anything more complex,
 29 # edit conf.d/master.conf.
 30 #listen = *, ::
 31 listen = 127.0.0.2

So when I tried "sudo dovecot", it said the ssl key couldn’t be found, and even gave me a pathname. So I commented it out in /etc/dovecot/conf.d/10-ssl.conf:

  1 ##
  2 ## SSL settings
  3 ##
  4 
  5 # SSL/TLS support: yes, no, required. 
  6 ssl = no                                           ←was “yes”
  7 
  8 # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
  9 # dropping root privileges, so keep the key file unreadable by anyone but
 10 # root. Included doc/mkcert.sh can be used to easily generate self-signed
 11 # certificate, just make sure to update the domains in dovecot-openssl.cnf
 12 ssl_cert = </etc/dovecot/private/dovecot.pem
 13 #ssl_key = </etc/dovecot/private/dovecot.key       ←commented out

I also decided that we don’t need SSL, since hey, 127.0.0.2.

I think I’ll have to do something about the scanner, but otherwise i believe phase I (Stretch → Buster) was pretty easy.

Phase II: Buster → Bullseye

The first part was straightforward but took ... a couple hours? As above, all these steps were done as root:

• change /etc/apt/sources.list to refer to Bullseye rather than Buster
• apt-get update; apt-get ugrade; apt-get dist-upgrade
• reboot

And then…
    “…something about the scanner” ⇐ THIS
So xsane couldn't find the scanner. I got some advice to “sudo scanimage -L” which found only another device (our renter's all-in-one).

A web search on “brother scanners linux” (no quotes) led me to Install the scanner driver (deb) - Linux - BrotherUSA, where I learned what to do, again as root:

collin@p64:~$ brsaneconfig4 -q
                                                             ← nothing appeared here at all!
collin@p64:~$ sudo brsaneconfig4 -a name=mfc9340 model=MFC-9340CDW ip=192.168.1.40
collin@p64:~$ brsaneconfig4 -q
* *MFC-9340CDW [   192.168.1.40]  mfc9340                    ← Now that’s more like it!
collin@p64:~$ sudo scanimage -L
device `brother4:net1;dev0' is a Brother mfc9340 MFC-9340CDW
device `escl:https://192.168.0.235:443' is a HP ENVY 6400 series [BA2627] SSL flatbed scanner
collin@p64:~$ 

And with that, the scanner works. Mail works. Browsers (both firefox and chrome) work. Maybe something else won’t, but that's all for today.

July 29 update: auto-sleep, crashplan

A new-ish feature in Bullseye (it may have come in with Buster?) is that the box will sleep if I walk away for 20 minutes or so. This is fine, except when I'm logged in over VPN and I'm using vmware horizon (yes i have to use that for work). I need to disable it when I'm at work, so I just leave the Settings app up, with Power settings selected. Then it's front and center and it's obvious to me that auto-sleep is either on or off. Usually I re-enable it when I'm done with work for the day.

I got email yesterday or so, saying that my backups haven't happened since the OS upgrade. My first thought was, oh, it's because of being asleep. But then I turned off auto-sleep and tried logging in to the code42 app... no joy. After thrashing for a while, I went to the code42.com support site, where I couldn't login. Oh, I had forgotten that I'd already added google authenticator to firefox! I used it to get my magic rotating number and I was in. I saw the advice to reinstall the app. OK, fine; I downloaded the package, did what came naturally, and said: sudo /usr/local/crashplan/service.sh start

Which didn't work. I looked at /usr/local/crashplan/log/service.log.0 and... something about missing libuaw.so; a web search led me to this post on reddit with the answer: zcat the "CrashPlanSmb_10.0.0.cpi" file (it's in the downloaded tarball), find libuaw.so in the appropriate subdirectory of nlib/ (they didn't have "debian11" but the Reddit-or said ubuntu20, which thankfully worked) and copy it into /usr/local/crashplan/nlib; shazzam! up and running.

August 20 update: convert(1) issue solved; crashplan, not so much

I wanted to convert a ".png" file to PDF, as I have done many times before, but now I get:

convert-im6.q16: attempt to perform an operation not allowed by the security policy `PDF' @ error/constitute.c/IsCoderAuthorized/421.

How annoying! A web search got me to this stackoverflow post; I followed its advice, but kept the old /etc/ImageMagick-6/policy.xml as /etc/ImageMagick-6/policy.xml-dist; here's the diff:

$ diff -u /etc/ImageMagick-6/policy.xml{-dist,}
--- /etc/ImageMagick-6/policy.xml-dist	2021-04-20 07:37:59.000000000 -0700
+++ /etc/ImageMagick-6/policy.xml	2022-08-20 20:19:06.962756505 -0700
@@ -90,10 +90,12 @@
   <!-- in order to avoid to get image with password text -->
   <policy domain="path" rights="none" pattern="@*"/>
   <!-- disable ghostscript format types -->
-  <policy domain="coder" rights="none" pattern="PS" />
+  <!--  -->
+  <policy domain="coder" rights="read|write" pattern="PS" />
   <policy domain="coder" rights="none" pattern="PS2" />
   <policy domain="coder" rights="none" pattern="PS3" />
   <policy domain="coder" rights="none" pattern="EPS" />
-  <policy domain="coder" rights="none" pattern="PDF" />
+  <!--  -->
+  <policy domain="coder" rights="read|write" pattern="PDF" />
   <policy domain="coder" rights="none" pattern="XPS" />
 </policymap>

And now, convert(1) can do everything I was accustomed to using it for.

Crashplan, though… I thought (from a few weeks back) that the service started so everything was good, but not so much! /usr/local/crashplan/log/engine_output.log ends like this:

  Java virtual machine created.
Starting service.
[08.20.22 10:24:56.599 INFO  main             com.code42.utils.ClassFinder] Loaded classpaths in 1960 ms
#
# A fatal error has been detected by the Java Runtime Environment:
#
#  SIGSEGV (0xb) at pc=0x00007fc570a458a7, pid=326423, tid=326535
#
# JRE version: OpenJDK Runtime Environment Temurin-11.0.12+7 (11.0.12+7) (build 11.0.12+7)
# Java VM: OpenJDK 64-Bit Server VM Temurin-11.0.12+7 (11.0.12+7, mixed mode, tiered, compressed oops, g1 gc, linux-amd64)
# Problematic frame:
# C  [libuaw.so+0x1c8a7]  std::filesystem::path::~path()+0x7
#
# No core dump will be written. Core dumps have been disabled. To enable core dumping, try "ulimit -c unlimited" before starting Java again
#
# An error report file with more information is saved as:
# /usr/local/crashplan/hs_err_pid326423.log
[thread 326523 also had an error]
#
# If you would like to submit a bug report, please visit:
#   https://github.com/adoptium/adoptium-support/issues
#

WHOA, did you see that libuaw.so part up there? Do I maybe have a bad libuaw.so? It's late now, though, so maybe in another day or two I'll…

September 24 update: crashplan solved!

OK, so what happened last month was: I did more searching and read another reddit post which said that in 2019 (!) there was no excuse not to run apps in containers. Good point! But I didn't want to do that without learning more about containers. I mean, I can spell "runc exec -it <CONTAINERNAME> bash" (wait, did I get that right?) but beyond that…

I ordered and waited for my own personal copy of Docker: Up & Running 2/e then procrastinated… today I decided, better get to it. Now, where was that reddit post that pointed me at the container to…? Huh, couldn’t find it. Instead I re-found the reddit article linked above, but this time I noticed this comment:

Thanks a lot! Worked on Debian 10 with the ubuntu18 file and on Debian 11 with the ubuntu20 file.

WHOA; I’ve got debian11; which one did I install last month (which crashed)? Based on this output

$ ls -o /tmp/code42-install/nlib/*/libuaw.so
-rw-rw-r-- 1 collin 486008 Aug 21 08:25 /tmp/code42-install/nlib/rhel7/libuaw.so
-rw-rw-r-- 1 collin 243440 Aug 21 08:25 /tmp/code42-install/nlib/rhel8/libuaw.so
-rw-rw-r-- 1 collin 232944 Aug 21 08:25 /tmp/code42-install/nlib/ubuntu18/libuaw.so
-rw-rw-r-- 1 collin  52456 Aug 21 08:25 /tmp/code42-install/nlib/ubuntu20/libuaw.so
$

I evidently installed the rhel7 one. D’oh! Replacing it by the ubuntu20 one and crashplan is running, without having to do the container thing.

PS: the container thing is https://github.com/jlesage/docker-crashplan