So, as those of you who follow me elsewhere may know, I’ve been getting into CNC recently, with the help of this sweet little desktop machine:

The Genmitsu Cubiko, from SainSmart via Kickstarter. And since it has arrived here, I’ve been having a merry old time designing little widgets in Fusion 360 and milling them out of assorted bits of scrap lumber hereabouts as I learn and practice on my way to larger projects.

As of yesterday, however, the laser module I got along with the machine in the Kickstarter arrived, so I’ve been getting started with some laser engraving. This module, as it turns out, is the already-existing Genmitsu CFL55-33 laser module, a nice 5.5W violet diode laser that works very nicely indeed.

But for one eensy issue.

Connecting it up and configuring it (using LightBurn for now, at least) was simple, as was using it. But where physical installation is concerned - well, the Cubiko uses a 42 mm spindle, which you take out and replace with the laser module. There are four corners neatly cut into the otherwise circular interior of the spindle clamp to let you do just this. But unfortunately, it turns out that in practice - at least on mine - when you put the laser in the spindle clamp and tighten its bolt as far as it will go, the laser (at 33 mm each side) is just too small to stay fixed. Close enough that it will stay where you put it, even, but that’s not quite tight enough for me to trust it when it’s moving back and forth at laser-engraving speeds.

At first I was able to shim it with a thin piece of wood I had handy, and move on. Which worked fine for my initial runs, but isn’t what you might call a permanent solution.

So I turned to 3D printing for a solution, but printing a round holder for the laser was out: a 33 mm square won’t fit into a 44.5 mm (the interior diameter of the clamp) circle, period. So instead I experimented by making a thin, square belt for the laser, to slip on over it and clamp down.

That worked, but even a very thin “belt” - one that came out on the printer as a single wall, and that alone - was too much. While it would hold the laser in place, it bowed out between the corners in use, and also placed what I deemed to be excessive strain on the clamp.

Which led me to my eventual solution.

This, if you will, is a laser wearing suspenders.

My eventual 3D print job (which you can download here as the .STL to print, or here as the original Fusion archive) consists of two small right-angled “suspenders”, each one printed wall thick, which widen the laser for 18 mm of its height at the appropriate spot, just enough to let the spindle clamp grip tightly.

To make sure I installed them at the right spot (just below the vents, as seen in the below picture), I used the following procedure:

1. Dialed the laser in, while placed in the clamp, for a job on very thin material. For me, this meant positioning the Z axis at -38 mm (machine coordinates), and positioning the laser thereafter with the built-in focus widget on a 2 mm wood blank over my spoilboard.

2. Using a thin Sharpie, make a small mark on each side of the laser where it emerges from the bottom of the spindle clamp.

3. After removing the laser, place a drop or two of cyanoacrylate adhesive on the inside of each “suspender”, and apply them to the front corners of the laser as seen in these pictures, lining up the bottom of the suspender with your mark.

4. Let the cyanoacrylate cure. I don’t recommend putting the laser back in the clamp until it does.

As long as you’re installing it at a height where the “suspenders” are within the clamp, from now on, your laser should fasten there securely.

You’ll note that by setting the default position for them where I did - i.e., dialing in the laser on very thin material - there’s plenty of room to adjust the position of the laser for different jobs - there’s only a small distance further down you can go before reaching the bed, and with 18 mm of “suspender” inside the clamp in the original position, there’ll still be plenty available to hold the laser in position.

Going up, you’ve got 18 mm in which you can raise the laser inside the spindle clamp before the top of the “suspender” reaches the top of the clamp, not to mention a whole 38 mm of Z axis to play with.

And that’s how to make your laser stop slipping!

Update:

After receiving some data points that other people on those versions have not been experiencing this, and some digging with Wireshark, it turned out that it was not, strictly speaking, the iOS updates that were responsible for this. It was a little weirder than that.

Looking at packets did reveal the iPhones making DNS-over-HTTPS queries to places they weren't supposed to, and digging further revealed that somehow - and figuring out how is going to occupy me for some considerable time, I suspect - someone slipped them a mickey.

Somehow they both ended up with a device configuration profile installed that was not supposed to be there. I have no idea how that managed to end up installed and activated without the usual manual permission prompts drawing the attempt to do so to our attention, and yet there it was, in our base pwning our DNS.

A couple of erase-and-resets later, and normal operation has been restored. To the iPhones, anyway. (The less said about my paranoia the better.)

Previous Post

Not, you understand, that I would complain if someone has all the details of how to make iOS play nice again to pull out of their pocket before I find time to figure it out myself.

So, having recently updated to iOS 18.4.1 and/or 18.5 (yes, the beta), I note that ads and other such things are no longer blocked on iPhones hereabouts, which ordinarily Pi-hole takes care of nicely.

This is definitely not a Pi-hole issue, insofar as it continues to work just fine for every other device on the network: evidently Apple have figured out some ingenious way to bypass local DNS servers. (Even though it claims to be using said DNS servers - which I suppose is true for local addresses, while lying through its damn teeth otherwise.) Until a means is found to block this new perversion, y’all may want to upgrade cautiously to 18.4.1 and beyond.

Damn their sleek and shiny hides.

(I also note that the iPhones not playing ball has changed my average percentage queries blocked from in the 13-14% range down to 0.7% blocked. Don't you just love 'em?)

My Setup, For Those Bothered To Repro

Very standard IPv4/IPv6 setup: Pi-hole queries OpenDNS, and in turn local DNS servers forward all non-local queries to Pi-hole. Everything else goes via those servers, only those servers query the Pi-hole directly, and they never make recursive queries of their own.

Versions:

Core
Version is v6.0.6-66-g3cbaee7 (Latest: null)
Branch is development
Hash is 3cbaee7b (Latest: 3cbaee7b)

Web
Version is v6.1-60-ge851470e (Latest: null)
Branch is development
Hash is e851470e (Latest: e851470e)

FTL
Version is vDev-f0966a9 (Latest: null)
Branch is development

Specifically, for small self-hosted home or office networks which contain services that:

• want to use e-mail

• will never communicate with anyone on the internet

• should not ever communicate with anyone on the internet

i.e., a very common requirement for people who want to run services for family and friends but have absolutely no use whatsoever for making those services available for anyone else.

This should be very simple. Ideally, it should be like this:

• Understands one (non-public) mail domain. Rejects all e-mail going anywhere else.

• Talks to a configurable number of local networks (for me, the local LAN, the tailnet, and a couple of minor local subnets). Rejects all packets coming from or going to anywhere else.

• Has configurable mailboxes (not a catchall). Bounces all mail that does not go to a configured mailbox on its one mail domain.

• Makes said mailboxes available through POP3. IMAP if you want to get fancy. No web interface needed or wanted.

• (I once thought, in a peak of bizarre enthusiasm, that instead of/alongside mailboxes a feature that would rewrite both envelope and header destination addresses from foo@internal.lan to foo@external.net and then forward the mail to a configurable external e-mail server would be desirable, but that’s probably way too fancy to be in scope for this project.)

And that is it!

It is, like I say, a moron. That’s because mail servers are complex beasties which require great complexity and sophistication to function out on the wilds of the Internet, and consequently are a giant pain in the ass to administer securely, to the point that advice given these days to people who want to run their own mail servers can be summed up as “Don’t”.

(I used to. I probably wouldn’t any more.)

Which is part of the problem when what one wants is a simple idiot mail handler to deal with mail from cron jobs and self-hosted servers that just want you to confirm your password and notify you that jobs have been completed, because while virtually any mail server can be set up to meet the above description, it is neither simple nor quick nor, given complexity, necessarily all that robust.

So how about it, folks? Anyone seen a good candidate for MoronMail out there? Or inspired to write one? Don’t make me beg.

As I got to find out yesterday.

Specifically, there’s been this intentional breaking change here to disable snapd-apparmor outright on WSL regardless of version, on the grounds that the Microsoft default kernel does not include LSM support and the Microsoft-supplied init doesn’t enable AppArmor stacking.

Rather unfortunate, in my opinion, after all the work various of us, myself included, put in to make both AppArmor and snapd work under WSL2 (with, of course, an AppArmor-enabled custom kernel and a cautionary note regarding cross-distro leaking). It’s not the decision I’d have made, inasmuch as snapd detected and responded to the presence of AppArmor correctly on WSL as it would on any other platform, and anyone compiling such a custom kernel and using it under WSL assuredly knows what they’re doing and that certain customizations and configurations will leak from distro to distro.

But whatever: I’m not on the snapd team and those who are may configure it as they see fit. I’m just a kibitzer, albeit a kibitzer who’s just a little salty that a breaking change like this didn’t make it into the release notes, when it would have been real nice if apt upgrade had warned me ‘bout this aforetime.

That being said, when things break, I fix. No elegant fix this time: I just cloned a copy of the snapd repo:

git clone https://github.com/snapcore/snapd.git
cd snapd

Installed the build dependencies:

sudo apt build-dep .

Edited the relevant source file (this one)…

nano src/snapd/cmd/snapd-apparmor/main.go

to change return false back to return true here (lines 70-81 at time of writing):

func isContainerWithInternalPolicy() bool {
	if release.OnWSL {
		// [eight lines of comments]
		return false
	}

Built the relevant component:

go build -o /tmp/build/ ./cmd/snapd-apparmor

And copied it manually into place:

sudo cp /tmp/build/snapd-apparmor /usr/lib/snapd/snapd-apparmor

(And, of course, held future updates of snapd so I can be sure to do this manual bit at the same time.)

sudo apt-mark hold snapd

And that’s how you fix your machine that just broke.

(I could, I suppose, include a copy of my patched file here, but I’m not going to encourage you to download executable files promising fixes from random people on the internet, especially as I just had someone try to phish me that way on GitHub, of all places. Y’all know how to herd a compiler. Go to.)

Those of you who have been using the patch I gave you some time ago to let you build apt packages for WSL Linux kernels (bypassing the problem with the version string - for details, see here) will have noticed that due to changes in the upstream kernel it doesn’t work any more. As I found out myself today, when building myself a 6.10 WSL kernel.

Anyway, the patch has actually got much simpler in recent versions, requiring just a one-line change in scripts/package/mkdebian:

commit eaaf50fb25f93d438d4a60b1bb581e889ff3287c
Author: Alistair Young <avatar@arkane-systems.net>
Date:   Thu Jul 18 17:31:46 2024 -0500

    Adjusted mkdebian for WSL packages.

diff --git a/scripts/package/mkdebian b/scripts/package/mkdebian
index 070149c985fe..2b3c7055e4a4 100755
--- a/scripts/package/mkdebian
+++ b/scripts/package/mkdebian
@@ -146,7 +146,8 @@ if [ "$1" = --need-source ]; then
 fi

 # Some variables and settings used throughout the script
-version=$KERNELRELEASE
+version=$(echo $KERNELRELEASE | tr '[:upper:]' '[:lower:]')
+
 if [ -n "$KDEB_PKGVERSION" ]; then
        packageversion=$KDEB_PKGVERSION
 else

Sure would be nice if we could get this into upstream.