Funny as it may seem, I fell for it (yet again perhaps?). I’ve installed CentOS5 on top of VirtualBox 2.2.2 on my Ubuntu Hardy 8.04 for the sole purpose of testing out ASP.NET hosting using Mono, XSP, and Apache. And I was in for a surprise that I could not access my virtual machine’s Apache web server instance.

I was able to install VirtualBox 2.2.2 vanilla (not the official Ubuntu package) without any problems. I followed it up by installing CentOS5 as a virtual machine. I then proceeded and configured the network interface for the virtual machine on the VirtualBox Management panel, and set it up to use “Bridged” networking.

I proceeded by booting the virtual machine and watched every boot message zip by without a hitch. I then logged into the virtual machine as root and configured the IP address for the network interface. After which, I pinged the IP address and got the reply I want. I then tried to log in via SSH, ang was able to get in. “Hmm… everything seems to be in order. Might as well continue.” I said to myself. Boy was I in for a surprise.

I proceeded and configured the web server, enabling name-based virtual hosting, started Apache and tried to browse the test page. And then… nothing! ACCKK!!! I checked the IPTables rules if there’s something a-miss. So far everything seems to be in order (really?) . Tried a couple more times, and still get a failure from Firefox. Hmmm.. what could it be. Pondering for hours what could have been missed. A colleague suggested to flush the entire set of IPTables rules, which I did and tried accessing the web server. What do you know! I was able to browse the basic landing page. “Hmmm.. there must be something wrong with the IPTables rules” I said whispering.

I proceeded and checked again /etc/sysconfig/iptables and sure enough, I found the culprit. I mistakenly added the IPTables rule that opens port 80 AFTER the reject rule! No wonder port 80 doesn’t open up. I edited the /etc/sysconfig/iptables again, and place the port 80 rule on top of the reject rule, which will then allow it to take effect first, before the reject rule is activated. And then everything worked as it should.

Lesson? Sometimes the obvious things are really hard to find and double checking definitely will prevent the unnecessary debugging for when your system goes to production. I’m just glad this is a simulation system and not production.

I think it was stupid of me not to notice the order of the rules in the iptables file. What do you think?

Technorati linux, virtualization, virtualbox, centos5, apache, webserver, iptables
Site Search Tags: linux, virtualization, virtualbox, centos5, apache, webserver, iptables

This is just a quick tip I’m putting up in replicating existing packages between Ubuntu installs. I tend to keep forgetting how to do it every time I do a total reinstall of my Ubuntu box. The following simple commands will list down all installed packages and export it to a file, copy to a USB thumbdrive, and import later after doing a reinstall/upgrade. In other words, the following steps will automate your package reinstall that will mimic your old Ubuntu install.

hw@myubuntu:~$ dpkg --get-selections > pkginstalled

The above snippet uses the dpkg command with the --get-selections parameter to read the installed packages and dumps them to a plaintext file. You can then proceed and copy pkginstalled to an USB thumbdrive for later, and proceed with the reinstall or system wipeout/upgrade.

After your new system has been reinstalled, instead of manually installing all the applications that you had previously, just do the following commands to automate the process.

hw@newbox:~$ dpkg --set-selections < /media/disk/pkginstalled
hw@newbox:~$ apt-get dselect-upgrade

The above snippet imports the list of packages from the file pkginstalled from /media/disk (USB thumbdrive) or replace it with the path where you copied you package list file. The next command does the actual package installation based on the list of packages imported.

NOTE: If you were using non-official repositories, please add the necessary third-party repo prior to doing the steps mentioned above.

Enjoy!

Technorati ubuntu, linux, dpkg, package, import, export, automate, cli
Site Search Tags: ubuntu, linux, dpkg, package, import, export, automate, cli

JSON is a trivial package feature and the extension already comes built-in with PHP 5.2.x so this is not so much a problem for users of the latest PHP build. However, if you are using SLES10 SP1 and below, and haven’t updated PHP and still uses 5.1.x then you’ll be in for a surprise. JSON isn’t available in the default install, let alone a package that you can get from YAST, unless you have updated your Installation Sources.

The quickest and simplest way is not to depend on vanilla sources but rather to use PEAR since it is already in SLES10.

1. Open YAST.

2. In Software Management, search for php-devel and install it. php-devel provides phpize which PEAR will be using later on to install the JSON package.

3. Open Terminal, and run the command as root:

pear5 channel-update pear.php.net

4. In Terminal still, follow it up with:

pear5 install pecl/json

This will install the latest JSON package.

After installing JSON, locate your php.ini , and add the line in the Dynamic Extensions section.

extension=json.so

Save php.ini and restart Apache.

Congratulations! Enjoy.

Technorati php, json, apache, linux, sles10
Site Search Tags: php, json, apache, linux, sles10

PFSense is a great tool to have that provides a firewall, traffic shaping capabilities, load balancing and failover, and other features plus fully extensible by way of third party opensource “plugins” and packages that you can install via its web console.

Recently though, some of our devs need to connect via FTP to a remote server. And apparently they’ve encountered some weird problem with FTP:

user@ubuntu:~$ ftp some-server.com
Connected to some-server.com.
220 ProFTPD 1.3.1 Server (some-server.com) [143.44.52.54]
Name (some-server.com:user): ftpuser
331 Password required for ftpuser
Password:
230 User ftpuser logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
500 Illegal PORT command
ftp: bind: Address already in use
ftp>

A little investigation revealed that in order for FTP to work, we need to have the FTP Helper proxy application working on the LAN interface of our PFSense box, then add a firewall rule, more like a “transparent FTP proxy”. If you get my drift.

Let’s do it

1. In PFSense, click on Interfaces, LAN

2. Make sure that “Disable the userland FTP-Proxy application” is unchecked.

3. Save your setting, and then click “Apply this setting”.

4. We will now add a rule to permit our LAN traffic to access our FTP-Proxy application ports 8000-8030 on 127.0.0.1 . To do so, click on the “+” button at the bottom or at the top, of the list of rules to add your new rule. Make sure that the new rule will be on top of all the other rules.

5. Save your new settings, and apply.

Test your FTP connection.

Enjoy!

Technorati pfsense, firewall, rule, ftp, access, outbound
Site Search Tags: pfsense, firewall, rule, ftp, access, outbound

It’s just a really weird problem that we have today. A perfectly fine Fedora box just suddenly will not boot. When it does not get to initiate booting, GRUB fails saying that the hard drive just cannot be read. The box is somewhat critical and we need to have it running back up (pun intended) since it’s our backup server for most of the managed sites. I guess i’ts not a healthy box as we have been believing.

A little history, it’s an Intel P4-based box on an ASUS P5DR1-VM mobo, on 1GB of RAM. Yeah, it’s not a hefty box. Fedora 8 was installed by a colleague without any issues. Until recently.

It was running fine the other day, then yesterday it just stopped. Checking what happened, the primary hard drive, a Maxtor 80GB PATA, is being bitchy. I rebooted the box and went CMOS. The Maxtor HDD is being identified alright so I proceed to reboot again and see if it will boot up. Again, GRUB stops and cries error reading the drive. “Hmmm.. That’s not right.” I said. I left it overnight and returned to it in the morning.

Another thing that worried me was what if the data on the second hard drive, a Seagate Barracuda 250GB SATA, was also affected? and another thing is that both the Maxtor and the SATA are on LVM!

Aaaarrggghhh!

Crossing fingers, I tried to boot to Fedora 8 install disc and proceeded to use Rescue System. But to no avail… Rescue System wasn’t able to identify a valid Fedora install. “What-the-eff!” Wasting no time, I rebooted and went back to CMOS, all the while feeling the Maxtor hard drive with my hand for any indication that the drive is spinning. Sure enough, CMOS tells me Maxtor’s not there, and the drive isn’t spinning. “Gotcha!” I powered down the box, swapped the hard drive data cable (ribbon cable with new one) and used another Molex power connector (the PSU still has extras) and powered the box up. Checked the CMOS, and voila! Maxtor’s back on the drive list, and the drive is spinning. So far so good. A few things left for me to do — make sure the data is intact, and that I can do backup of the backup (get it?)

This time, I’m using Ubuntu 8.04 Hardy Live CD as my recovery disk. Ubuntu booted smoothly and proceeded to open the Terminal as root. Then tried to check if I’ll be able to see the LVM volumes:

root@linux:~# vgscan
The program 'vgscan' is currently not installed. You can install it by typing:
apt-get install lvm2
bash: vgscan: command not found


Ok, fine. So I proceeded and install lvm2:

root@linux:~# apt-get install lvm2
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
dmsetup
The following NEW packages will be installed:
dmsetup lvm2
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 365kB of archives.
After this operation, 1065kB of additional disk space will be used.
Do you want to continue [Y/n]? y


After installing the required package, I proceed to vgscan again, and saw the LVM volume group - in my case VolGroup00. Before I can proceed, I had to do ‘modprobe dm-mod’ first. I leave it up to you as an assignment what this does =) . I then proceeded and typed ‘lvs’ in the terminal. And then proceeded with the magic incantations:

root@linux:~# mkdir /mnt/myLVM
root@linux:~# vgscan
root@linux:~# modprobe dm-mod
root@linux:~# vgchange -ay VolGroup00
root@linux:~# lvs
root@linux:~# mount /dev/VolGroup00/LogVol00 /mnt/myLVM

And there you have it! I got my LVM mounted, and I was able to copy the data I need from it. Whew!

However, my problem is not yet over. I have no clean destination drive to store the would-be-retrieved data. Hmmm, alright. I’m putting it to our shiny Sun Microsystems X2100 M2 server which currently has 500GB of disk space. Fine, fine. It’s running SLES so setting up the NFS server is a no brainer. However, mounting the NFS share into Ubuntu might be challenging. You wish! It’s not that hard. Back to the magic incantations (Ubuntu side):


root@linux:~# apt-get install nfs-common
root@linux:~# mount myNFSserver:/mysharedfolder/subfolder /mnt/myNFSlocal

Bam! NFS share is now mounted locally, and my LVM is reachable as usual. I now start copying my data to the remote machine, and still coyping as of press time. The data is quite huge you know. But I’m happy. But I just don’t want this to happen again.

Technorati ubuntu, linux, lvm, nfs, recovery, backup
Site Search Tags: ubuntu, linux, lvm, nfs, recovery, backup

I’ve somehow finished implementing Samba as primary domain controller (PDC) with OpenLDAP working as authentication backend both running on top of SuSE Linux Enterprise Server. Workstations and users are being added properly into Samba and OpenLDAP and users are able to authenticate seamlessly. However, I just ran into a snag. Some users need to be Administrators in their own computer, while being common users in the domain.

It really is no sweat implementing Samba and OpenLDAP on SLES since it already includes both packages stabilized and ready to run. Novell engineers already did the grunt work of tweaking and hardening both packages plus with the help of YAST, I don’t have to use the smbldap tools to synchronize accounts on Samba and OpenLDAP. No sweat eh?

What I had trouble was how can I select only specific users from Samba PDC/OpenLDAP and make them Administrators to their own machines. I’ve looked for solutions however many of them were not fitting to what I want. So I decided to use KiXtart and CPAU instead.

In a nutshell, KiXtart replaces your standard batch file logon script and give you more flexibility and power than you normally get from batch files. CPAU on the other hand replaces the traditional Run As command on Windows. The main difference is that although Run As allows you to run a command as another user (or admin), however, you will be prompted with that user’s password in the same manner that you use SU on Linux/Unix. CPAU allows you to speficy the user and password inline giving you more flexibility with your scripts.

So to add users to the local machine’s Administrators group, I put the KiXtart binary (WKiX32.exe) and CPAU.EXE in Samba’s NETLOGON folder and modified smb.conf to reflect the following:

logon script = logon.bat

In logon.bat, put the line:

%0\..\wkix32.exe %0\..\kixtart.kix

The next part does all the grunt work in identifying the user’s domain group, and checking if the user is a part of the local machine’s Administrators group.

kixtart.kix

Break on

$loffmsg = "Hello "+@USERID+CHR(10)+"This is your first time to logon to the domain."+CHR(10)+"Since @WKSTA is your own computer, you will be added immediately to the local"+CHR(10)+"Administrator group."+CHR(10)+"You will need to log on again afterwards."+CHR(10)+CHR(10)+"Username: "+@USERID+CHR(10)+"Host: "+@WKSTA+CHR(10)+"Group: "+@PRIMARYGROUP

; Check user domain group membership

IF INGROUP("Domain Admins")=1

; Check user local group membership

IF INGROUP("\\"+@WKSTA+"\Administrators")

; Do nothing.
MessageBox("Hello "+@USERID,"Greetings!",,)

ELSE
; Hide the console KiXtart is running on

SETCONSOLE("HIDE")=1

; Run CPAU tool with admin priv to add user to local admin group
MessageBox($loffmsg,"Reminder",64,)

shell '\\MYPDC\netlogon\cpau -u administrator -p admin-password -ex "net localgroup Administrators /add DOMAIN\@USERID" -lwop'
; If there's error, show it.

IF @ERROR MessageBox(@ERROR+@USERID,"Error!") ENDIF

;Force the user to logoff after being added so the change will take effect next log on.
LogOff(1)
ENDIF
ELSE
ENDIF

Further development
I’m still far from done with this little project. I still have to modify the script, or add some more subscripts, to be able to check if the local machine is the user’s own machine. I will need to implement that the user will only be admin on his own machine and none other. And yes, you can also use KiXtart to modify the registry if you need to.

Security? You can compile your kixtart script into an EXE executable using the KiX2EXE tool.

I’m just glad that I get to make Windows XP machines play nicely with Samba and OpenLDAP.

Resources:
KiXtart Online Manual
KiX2EXE Tool Homepage

Technorati samba, openldap, linux, windows+xp, kixtart, domain, controller, pdc
Site Search Tags: samba, openldap, linux, windows+xp, kixtart, domain, controller, pdc

The following article contains opinions and personal views of the author and will be taken as such. There is no guarantee to the accuracy, timeliness of some of the information that may be found within the article. The methods that are discussed here might not be applicable in your case. The author will not be held liable for any damage caused by using the method/(s) described in this article . Use the methods at your own risk. - hardwyrd

If you’ve downloaded documentations, help files, and how-tos, I’m pretty sure you’re very familiar with CHMs. CHMs — or Compiled HTML Help (or Manual) files, were pretty much popularized by Microsoft (shudder…) and was(is) in use by Microsoft Help. CHMs are pretty much compact in its own allowing plain HTML help files to be crammed into a single file and yet have its layout and objects intact.

On Linux however, this file format is not natively supported. You’d have to use a reader app to get to the info contained in CHM files. One of those popular CHM readers is gnoCHM. Another, also popular CHM reader is xCHM. xCHM is the one we will take a short look for today.

xCHM is pretty much a basic and simple CHM reader. It features a very simple interface, with standard browsing buttons that you can find in virtually any type of internet browser. The reader afterall is like a browser on its own showing you the contents of a compiled “web site”. Using xCHM is a no-brainer. Since xCHM is not a part of the standard install of your favorite distro (not that I’m aware of), we need to get the package and install it ourselves. For this session, I am using SLED10, however, at the bottom of this article you will find steps in installing it in Ubuntu or Debian.

Getting xCHM
You can get the latest stable xCHM build from its website at Sourceforge. Or you can copy and paste the following to your browser:

http://xchm.sourceforge.net/

In the xCHM site, you can choose to download pre-built binaries for your specific distro, or you can get the source and compile xCHM yourself. I will feature building xCHM from source. Should you want to feel “gung-ho hard core” about this exercise, you may get the package using wget by doing the following in your terminal:

wget http://jaist.dl.sourceforge.net/sourceforge/xchm/xchm-<version-number>.tar.gz


Once you have downloaded the xCHM source, we will need another set of package for it. xCHM uses the wxWidget GUI Library. If your distro doesn’t have this included, we will need to get wxWidget from its website. You may go “gung-ho hard core” again and do the following in your terminal:

wget http://prdownloads.sourceforge.net/wxwindows/wxWidgets-<version-number>.tar.gz

Let’s Build!
Once you finish downloading wxWidget, we will need to extract it and compile it.

# tar xzvf wxWidgets-<version-number>
# cd wxWidgets-<version-number>/
# mkdir buildgtk
# cd buildgtk
# ../configure --with-gtk
# make
# make install
# ldconfig

With a working wxWidget install, we can now proceed to installing xCHM. Again, we will need to extract the xCHM source package and install it.

# tar xzvf xchm-<version-number>.tar.gz
# cd xchm-<version-number>/
# ./configure
# make
# make install

That’s all there is to it!

To test if xCHM works, just type xchm in your terminal or open a chm file directly by typing xchm /path/to/your/file.chm.

For Ubuntu / Debian users, you may get wxWidget by first adding the wxWidget trusted key.

# curl http://apt.wxwidgets.org/key.asc | sudo apt-key add -

Modify your /etc/apt/sources.list to include the wxWidget repo.

# wxWidgets/wxPython repository at apt.wxwidgets.org
deb http://apt.wxwidgets.org/ DIST-wx main
deb-src http://apt.wxwidgets.org/ DIST-wx main


Do an update of your apt cache.

$ sudo apt-get update

Install wxWidget.

$ sudo apt-get install python-wxgtk2.8 python-wxtools python-wxaddons wx2.8-i18n

Once wxWidget is installed, you may proceed in installing xCHM from your Ubuntu repo. Make sure that you search first if xCHM is present, then proceed to installation.

$ sudo apt-cache search xchm
$sudo apt-get install xchm


You can also do wxWidget and xCHM installation in one command sweep after you have added the wxWidget repo.

$ sudo apt-cache search xchm
$ sudo apt-get install python-wxgtk2.8 python-wxtools python-wxaddons wx2.8-i18n xchm

No sweat. ENJOY!

Screenshots

Technorati: xCHM, chm+reader, CHM, reader, Linux, gnochm, SLED10, Ubuntu
Site Search Tags: xCHM, chm+reader, CHM, reader, Linux, gnochm, SLED10, Ubuntu

The following article contains opinions and personal views of the author and will be taken as such. There is no guarantee to the accuracy, timeliness of some of the information that may be found within the article. The methods that are discussed here might not be applicable in your case. The author will not be held liable for any damage caused by using the method/(s) described in this article . Use the methods at your own risk. - hardwyrd

Here’s a quick and basic how-to in preparing Xen with multiple bridges with multiple NICs for DomUs on Xen in SLES10.

Objective:
Deploy networking on Xen DomU’s using multiple bridges on multiple NICs. Host OS will utilize two NICs for WAN and LAN connections. Guest OS will utilize two NICs also for WAN and LAN connections. Host OS and Guest OS are using different WAN connections and LAN connections.

Step 1: Verify Xen Presence
Make sure that you have Xen installed. If not, you can do:

1. Open up YAST.

2. Click on ‘Software’, then click on the ‘Filter’ parameters box, and choose ‘Patterns’.

3. Verify that ‘Xen Virtual Machine Host Server’ is checked/selected. If not, then check it. The required packages for Xen are shown on the right panel.

4. To make sure, you can check for software dependencies by click on the ‘Check’ button at the bottom of the YAST window.

5. Click ‘Accept’ and let YAST install the packages.

After installation, Xen’s tools will be located in /etc/xen.

Step 2: Prepare NICs for DomUs
By this time, we’ll need to identify which physical NICs we are going to allocate for the DomUs. For our example, our machine has 4 physical NICs labelled ETH0, ETH1, ETH2, and ETH3 respectively. ETH 0 and ETH1 will be used by the host SLES10 (Dom0), while ETH2 and ETH3 will be used by the guest OS (DomU).

To specifically restrict our host from using ETH2 and ETH3, we will need to only initialize the NICs and not declare an IP address nor do we configure them using DHCP. To do just that, we need to:

1. Open up YAST.

2. Click on Network Devices, then click on Network Card.

3. In the Network Cards list, select ETH2 and then set it to ‘None Address Setup’. This will initialize the NIC without an IP address and our host OS will have no use of the NIC which serves our purpose quite perfectly.

4. Click ‘Next’ then Finish.

Do the same for ETH3. Do not forget to setup ETH0 and ETH1 to connect to your desired network.

Step 3: Prepare Xen with multiple bridges
Before we can configure Xen for multiple bridging, we will need to let Xen restart. The optimal way will be to reboot the entire system, or we can just stop the Xen daemon and restart it back up. We can do a Xen daemon restart only if we have already logged into the Xen-enabled kernel of SLES10. If not, we definitely will need to reboot and log into the Xen-enabled kernel.

After booting via the Xen-enabled kernel, we will need to do some preparations before we install our guest OS (vm/DomU). We will need to prepare our network bridges first before our guest OS can use the physical NICs we allocated for our guest OS. We will need two bridges for our guest OS to connect to WAN and LAN. To prepare the bridges, we will need to stop the Xen daemon, and create a wrapper script that utilizes the network-bridge script that comes with the Xen package of SLES10. To stop the Xen daemon, do:

# rcxend stop

We will need to put the wrapper script at /etc/xen/scripts/ along with other Xen tools. The following is a sample wrapper script.

#!/bin/bash
dir=/etc/xen/scripts
“$dir/network-bridge” “$@” vifnum=0 bridge=xenbr0 netdev=eth2
“$dir/network-bridge” “$@” vifnum=1 bridge=xenbr1 netdev=eth3

Save the file as br-wrapper_script or whatever filename you specify. Chmod the file to executable using:

# chmod o+x br-wrapper_script.

After creating the wrapper script, we will need to modify Xen’s configuration to use our wrapper script instead of network-bridge directly. The file of interest here is /etc/xen/xend-config.sxp.

# vi xend-config.sxp

Look for the entry that contains (network-script network-bridge) and change it so that it will become (network-script br-wrapper_script). The config file call our own wrapper script instead of the default network-bridge script.

After the necessary modifications, restart the Xen daemon by entering rcxend start at the terminal. Check if our bridges were created by using ifconfig:

Once, you see xenbr0 and xenbr1 then you are good to go.

Step 4: Utilizing multiple bridges for the Xen DomU
Xen DomUs can be created through YAST using the virtualization tools.

If “Create Virtual Machines” and “Virtual Machine Manager” is not present, click on Install Hypervisor and Tools. However, if you’ve installed Xen beforehand, you’d have these tools already.

To utilize the multiple bridges, you’ll need to make some side steps in the workflow when you create your virtual machine. Make sure that when you reach the virtual machine summary, click on “Network Adapters”.

Create the necessary number of paravirtualized NICs. In our case we need two.

Make sure that each virtual NIC will be linked to the correct bridge (previously created). Your virtual NIC 0 must be linked to xenbr0, and virtual NIC 1 will be linked to xenbr1.

Exit the Network Parameters workflow and continue with your virtual machine installation.

More info at:
SuSE Linux Enterprise Server 10 VM Network Configuration Examples by Glen Davis (Novell)
NIC Bonding with Xen Virtualization by Joe Harmon, Jim Short
Xen Source Official Site

Technorati: xen,Xen, virtualization, Linux, SuSE, Enterprise, SLES10,multiple, bridge, network,
Site Search Tags: Xen, virtualization, Linux, SuSE, Enterprise, multiple, bridge, network,