Long Term Storage

I have this fantastic server which redirects console output to its serial port and I wanted to take advantage of it.  I went through the process of setting up inittab and grub to work and then I started testing the configuration.  In Windows using Putty, everything worked fine.  As soon as I moved the cable over to the serial port of an OSSIM box, I kept getting this error.

/dev/ttyS0 is not a tty

Googl’ing around returned nothing helpful which is why I am posting this here.

I have a habit of  disabling unused peripherals when I setup a new box.  Since I rarely use Serial Ports, I disable them.  Well.. that was the problem.  The disabled serial port isn’t going to work very well for a serial connection.

Hope this saves someone some time.

Tiger warned me that IP fowarding was enabled this morning.  It’s behavior is definitely odd in terms of when it reports something is afoot.

NEW: --WARN-- [lin015w] The system has IP forwarding enabled


I digress.  Good article here on how to dis/enable IP Forwarding, but more importantly for my memory it also has the sysctl syntax which I forget on a regular basis.

Check if IP Forwarding is enabled

We have to query the sysctl kernel value net.ipv4.ip_forward to see if forwarding is enabled or not:
Using sysctl:

sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0

or just checking out the value in the /proc system:


cat /proc/sys/net/ipv4/ip_forward
0

As we can see in both the above examples this was disabled (as show by the value 0).
Enable IP Forwarding on the fly
As with any sysctl kernel parameters we can change the value of net.ipv4.ip_forward on the fly (without rebooting the system):

sysctl -w net.ipv4.ip_forward=1

or

echo 1 > /proc/sys/net/ipv4/ip_forward

the setting is changed instantly; the result will not be preserved after rebooting the system.
Permanent setting using /etc/sysctl.conf
If we want to make this configuration permanent the best way to do it is using the file /etc/sysctl.conf where we can add a line containing net.ipv4.ip_forward = 1

/etc/sysctl.conf:
net.ipv4.ip_forward = 1

if you already have an entry net.ipv4.ip_forward with the value 0 you can change that 1.
To enable the changes made in sysctl.conf you will need to run the command:

sysctl -p /etc/sysctl.conf


There is some good stuff down in the comments too.
Thanks MDLog.

In my efforts to build a new router, more to come on that topic, I had a need to make a ISO image bootable on a USB Drive.  My Googling let me to this simple, straight forward article.

Thanks Lnx2.

I have made some slight modifications and formatting to the original steps based on what I found to work.

There are two methods.  1 is to not use a partition table and write the file system directly to the device.  Method two is more traditional.

1. Method (/dev/sdX is your USB flash drive) :

A) Create a filesystem n the whole device without a partition table.(saves some space, and you don’t have to worry about the MBR)

sudo mkdosfs -I -v -n Ubuntu -F 32 /dev/sdX

B) Create “volume boot record” and the file ldlinux.sys using this command:

sudo syslinux /dev/sdX”

C) Mount the USB drive and the iso image file.

sudo mount -o loop /path/to/iso /mount/point
sudo mount /dev/sdX /mount/point

D) Copy all the files in the iso to the USB drive:

sudo cp -P --preserve=all -R /path/to/iso/* /path/to/iso/.* /usb/mount/point/

E) Rename the isolinux directory to syslinux and the isolinux/isolinux.cfg to syslinux/syslinux.cfg

sudo mv isolinux syslinux
sudo mv syslinux/isolinux.cfg syslinux/syslinux.cfg

F) reboot

2. Method (/dev/sdX is your USB flash drive):

A) Create a partition:

sudo parted /dev/sdX

In parted

mkpart primary 0% 100%
quit

B) Create a filesystem on the firstpartition

sudo mkdosfs -v -n Ubuntu -F 32 /dev/sdX1

C) Overwrite the MBR.

sudo dd if=/usr/lib/syslinux/mbr.bin of=/dev/sdX count=1

D) Create “volume boot record” and the file ldlinux.sys using this command:

sudo syslinux /dev/sdX1

E) mount the USB drive and the iso image file.

sudo mount -o loop /path/to/iso /mount/point
sudo mount /dev/sdX /mount/point

F)copy all the files in the iso to the USB drive:

sudo cp -P --preserve=all -R /path/to/iso/* /path/to/iso/.* /usb/mount/point/

F) rename the isolinux directory to syslinux and the isolinux/isolinux.cfg to syslinux/syslinux.cfg

sudo mv isolinux syslinux
sudo mv syslinux/isolinux.cfg syslinux/syslinux.cfg

G) reboot

Another VMWare issue I started having is Unity mode wouldn’t start.  Click the button, the unity menu pops up and the VMWare window minimizes, but the unity app never displays.

This is also  a common problem with a very simple fix.  Apparently, sometime in the past, I added a line to my /etc/vmware/config file to problem fix or enable some other feature.  This line and Unity just don’t mix.

The fix, per this thread and ultimately this blog post, is to remove the following line from your /etc/vmware/config file.

xkeymap.nokeycodeMap = true

Keep reading the VMWare Communities post for additional details if you added that line to address some key mapping issues.

Like many Linux users of VMWare, I live in a mixed world where not everything I need or want can be done in Linux so I have to resort to dual boots and virtual machines.  Combine that with the sad state of EXT2/3 FS drivers for Windows and you have a situation where you have make concessions just to get by.  For this particular story I am referring to having NTFS formated external hard drives.  I like to run my virtual machines on separate physical disks especially when the physical machine is an under-powered laptop.  So I have my VM on an NTFS external drive, trying to run it form my Linux desktop and I am getting terrible performance.  TERRIBLE.  Like the window graying out cause it is unresponsive and having to kill -9 processes just to get anything moving again.  Looking at the processes the FUSE ntfs-3g driver is pegged at 100% even after killing the vm.

It turns out that this is a known problem in the ntfs-3g driver and is being ‘worked on’.  I say ‘worked on’ cause the problem has apparently been around for a long time.  So long in fact, that it has made it to the FAQ on the ntfs-3g.org website here.  With all of that said, the solution is to simply add a line to your .vmx file.  Note:  This is a per-VM setting, so you will have to do it on all of them.

Edit your .vmx file and add the following.

mainMem.useNamedFile=FALSE

Do note as the state on the website that your /tmp dir must be on a non-ntfs-3g partition or else you could cause additional performance issues.

Anyone who runs GNU/Linux is bound to need a console at some point.  Sometimes it is just easier to switch over to a virtual console and do what you need to do.  The default state of most consoles is an 80×30 character display which is basically useless if you want to see any kind of information.

The simple solution to this minimalist display is to set the vga kernel flag.  This allows you to set the resolution on your console framebuffer to something more useful.

The default settings example shows vga=791.  This puts your console in a 1024×768 resultion.  Which while not great is a significate boost over the standard 800×600.  If you simply enable this resolution, you will notice the Ubuntu usplash logo off center.  Very annoying.  The following steps are needed to make your Console Framebuffer something to look at.

1. Figure out what resolution your primary monitor supports.  This is typically what you have your desktop resolution set to.

2. Determine what your vga kernel flag needs to be set to.

The Wikipedia article on VESA BIOS Extensions will probably answer your questions.  Specifically, the section on Linux Video Modes.

For us widescreen users, we are not as lucky with our resolution choices.  Though, through my expirimentation, I did find that vga=840 works to give me a 1400×1050@16bit on my Dell Inspiron 1505 with the NVidia 7300 Go.  This is actually VESA 348 and does not follow the 512 rule stated in the Wiki article.  My assumption about why is probably due to manufacturers implementation.

Note: Don’t worry too much about getting it wrong.  One of two things will happen.  1. You will get no display or 2. you will get a grub screen telling you your video mode is unsupported.  I will cover how to correct this in a moment.

3. Edit your menu.lst file and add the vga= option in two places.  First, add it to the default options line.  You are looking for this line.
# defoptions=quiet splash

Change it to:
# defoptions=quiet splash vga=840

Be sure to set the 840 to the mode that represents your preferences.

Next change the default Boot menu kernel entry at the bottom. In a standard Ubuntu build, the default entry will be the first entry following this line.

## ## End Default Options ##

It will look something like this:
title Ubuntu 8.10, kernel 2.6.27-9-generic
uuid 636dc411-e53a-4776-a9e9-4fc9e277f445
kernel /boot/vmlinuz-2.6.27-9-generic root=UUID=636dc411-e53a-4776-a9e9-4fc9e277f445 ro quiet splash
initrd /boot/initrd.img-2.6.27-9-generic
quiet

You need to add the vga=### to the end of the kernel line so it looks like this.

kernel /boot/vmlinuz-2.6.27-9-generic root=UUID=636dc411-e53a-4776-a9e9-4fc9e277f445 ro quiet splash vga=840

4. Next you need to update the usplash config to match the resolution.  This is how you keep the logo centered.

sudo vi /etc/usplash.conf

Change the x and y resolution lines to match your chosen resolution.

# Usplash configuration file
xres=1400
yres=1050

5.  Update your initramfs to take advantage of the usplash settings change.

sudo update-initramfs -u

6. Reboot.

You should see a smaller, higher resolution Ubuntu logo and then Gnome startup.

Upon reboot, if you get a blank screen, that means you chose a resolution that is larger than what your display can support. In this case, you will need to boot your Ubuntu CD and chose rescue mode. From there, chose a command prompt for the rescue CD. CD to /target/boot/gurb. then edit menu.lst with nano. Remove the vga=840 line from the kernel entry at the bottom.

If you are getting a grub menu saying you have set and invalid mode, press the space bar to see a list of valid modes. If you would like to get a complete list. Type in scan and press enter. This table is what I used to help determine the 840 setting for my display.  Select the letter representing your choice and your machine will continue to boot.

The entries listed on the table are the only VESA modes your video card support. Find the entry that best matches your display preferences without exceeding the max resolution of your monitor.  Take that number, add 512 to it and update the menu.lst file.  If this results in the invalid mode error again, you will need to experiment to find the actual setting.

Note:  The number following the resolution is the color depth or the number of bits being used to describe color.  Unless you have a specific limitation, it is safe and preferable to chose the highest number following your chosen resolution.  You will typically see 8,16, and 32.

My monitor supports 1650×1050 max resolution. The max resolution my video card supports is 1600×1200. Since the 1200 is greater than the 1050, if I chose this resolution, my monitor will not display and/or give me an error indicating that it is out of range. In my case, my next best choice was 1400×1050@16bit. The menu displayed this resolution as VESA 348. My next step was to convert the VESA mode to a linux VGA mode. Per the VESA BIOS Wiki I linker earlier, the standard is to add 512 to the VESA mode which would give me 860. I set vga=860 and rebooted. Same problem but it gave me an error stating 361 was not a valid mode. Since my goal was 348, I tried decreasing it by 12. I set vga=853 and rebooted. I got the grub error again, but it said that 355 was not a valid mode. Some simple math showed that I moved from 361 to 355 by subtracting 12 from the VGA mode, this time I need to move 7. I subtracted 13 this time which gave me the 840 and no grub errors on boot.

A year or so ago a friend of mine told me about this little app called Synergy.  It is an open source utility which allows you to use a single KB/mouse to manage multiple PCs.  It is a very slick little tool that works on linux, windows, and OS X.

It is a client-server setup.  The server is the PC which has the keyboard and mouse attached to it.  The client is a very small agent running on each PC.  Configuration for the client is simply providing the DNS name or IP of the server.  The server config is a just a hair more involved.  You have to tell it which clients are connecting to it and how they relate to each other for mouse movement.

The behaviour acts like you have multiple monitors.  Simple move the mouse to the edge of the screen you have defined in the layout and it starts moving on the other PC.  I don’t see any limitations to the number of PCs you can have connected, though I am sure there is a point where it would become cumbersome to move between all of the screens.

Of course Ubuntu Communities has nice documentation on how to configure it including for autostartup at various points.

Four vulnerabilities in the Ubuntu kernel were resolved today.  Go update your systems!

The details are here.

As a side note, I did not have to reconfig the VMWare kernel modules upon reboot.

From the command line:
sudo apt-get update; sudo apt-get upgrade

You will be good to go after that.

A nice article over at Arstechnica talking about a project some Carnegie Mellon students have been working on called Perspective.

It is a SSL and SSH security enhancement which helps prevent Man In The Middle attacks by giving you a 3rd party “perspective” of the site you are visiting.  I know you are asking, what does that mean and how is that my problem?

As this article over at TechDirt describes, the little pad lock has been one of the best things for Internet security.  Users, for the most, recognize and trust it to indicate that the site and the data about the transaction is secure.  A MITM attack is where a cracker intercepts your requests to initiate a secure connection and places them selves in the chain.  If done correctly, you, your browser, and the 3rd party have no idea that someone is listening in.  If this attack succeeds, the cracker now has access to all of the information that is encrypted which could be credit card numbers and passwords.  For you Linux/Unix users out there, SSH is susceptible to this attack as well.

The perspectives project, as they describe it, “designed Perspectives to supplement [Trust-on-first-use] applications with spatial and temporal redundancy”.  It works like this…

You visit a site which has a self-signed certificate. (Nobody wants to spend the rediculous ammount of money required to get a 3rd party signed cert.)

With out Perspectives, Firefox will give you a big warning that most users promptly ignore and select to add the exception.

Perspectives places itself in that step instead.  When you receive the public certificate of the site, perspectives goes out and queries their servers.  Their servers will then connect to the site and send back what they received.  The plugin then compares the two.  If they match, then the certificate is accepted as being valid and Fx doesn’t prompt you with the warning.

There are some additional configuration choices that can be turned on to further enhance this by requiring the signature to have been valid for X number of days.  This acts as a further validation in case the attacker is able to intercept all requests to the site.

All in all, this is yet another tool in the arsenal to keep our computing safe.  I hope that Mozilla, OpenSSL, and OpenSSH take this project to heart and integrate it into their suites as well as some large companies step up and offer their services as a notary.

You can obtain the Firefox extenstion here and an OpenSSH client here.

An interesting article I found over at Balance Through Extremism. Apparently RedHat has had a long time bug in the bless/overload function of Perl.  It causes massive Disk IO usage for no apparent reason.

In short, if you are using the official Perl RPMs from RedHat on RHEL, CentOS, or Fedora, you are likely experiencing a major performance bug.  The simple solution is to roll your own.

I nice guide that covers the most common commands and functions in VI.

A nice set of Linux How-tos and guides over at linuxscrew.com covering Bash, utils, the file system, iptables, advanced routing topics and hardening.

I don’t know what kind of management is going on over at VMWare that they can pass this joke of a management interface be shown to the public.  I have had nothing but capital P problems with this POS.

All of the problems I mentioned before as well as the interface just not working.

I was installing Solaris10-x86 to do IdM developement on my laptop.  I kept running into a timing issue where the clock on the virtual solaris hardware is running fast to the degree that minutes were passing faster than a real second.  Several hours of digging for a solution, I decided to try it on my “Brand New” VMWare Server 2 install.  The only good news that came out of this entire ordeal was the timing issue went away.  Though, I suspect that is due to kernel differences vs. software improvements.  I had the same kind of speedy behaviour out of Workstation 6.5 Beta 1 and 2.

Anyway.. back to the Solaris install.. So the install goes smoothly much to my suprise.  It wasn’t until after the reboot that the management interface problems started showing themselves.  There were not specific issues as a result of the VM or Guest OS install process.  It was more the resultant behavior of a system that has a run-away process.  Namely, a VM of Solaris that will not die.

When the CPU/Memory load of the host server was high due to the Solaris VM, the management interface started flaking out.  Little sections stopped responding leaving “loading” notices for minutes as if.. gasp.. a jsp applet timed out and doesn’t realize it!!  Never returned any errors or gave any suggestions for how to ‘fix’.  At one point the system was denying me access to perform functions on the virutal machines though I am explicitly an administrator on the application.  I would stop the VM, it would report it was stopped at the bottom in the little events section but the top section would ‘grey’ out as if it was still processing my request.  These quirks were resolved by either doing a full page refresh (shift+F5) or cycling the management process on the host.  sudo /etc/init.d/vmware-mgmt restart

The biggest issue I ran into though, was at one point I could not get the webAccess compontent to actually stop.  vmware-mgmt stop would say it completed correctly but doing a process list showed it running.

Bit of warning if you have to manually kill the webAccess process.  There is a separate watchdog process that will reload the service automatically.  It acts like it retains the session problems details through the watchdog restarts.  I had to manually kill both the watchdog and webAccess processes at the same time to get them to actually stop.  Sounds a bit like a virus, eh?

At this poing I am ready to throw VMware Server 2 out the F’in window, but I noticed a little line indicating the virtual hardware version.  Server 2 bumps this up to version 7 which is not backwards compatible with Server 1.0x or Workstation 6.  (Maybe 6.5 beta?)

In all fairness to VMWare, I do see what they are tyring to accomplish.  They are trying to unify their interfaces between the products.  I am sure it was some kind of PITA to maintain the seperate apps for each of the different programs and I can respect that.  But for the love of all that is Good and VMWare.. Give Me Back my Linux GUI!!!

Another side note: On the forums I found that the VirtualInfrastructure Client can be used to connect to Server 2 rather painlessly.  The only problem with this is.. it is written in .Net and no one has managed to get it to run in WIne yet.  So.. this basically means I am forced to either A. used the F@#$! POS web interface and all of its issues or B. run windows in a VM or somewhere to connect to the Server with a GUI.

I saw this article this morning from Ars on virtualization and itmade mention that VMWare Workstation 6 contains the ability to run a linux guest in paravirtualized mode.  So I started digging around to see if Server offered this ability.  Much to my chagrin, the functionality it is only in Server 2 which is still in RC1.

My biggest issue with Server 2 is the Server Console application we all know and love has been replaced by a crap-tastic web interface running on a stripped down/modified Apache/tomcat service provided by the install.  In short.. teh suck.

I let my geek tendancies run and went ahead with the upgrade??? to Server 2.  So far.. I am NOT impressed.  The performance of the web interface is pathetic compared to the console.

First issue I ran into was it was prompting me to select a client certificate to authenticate myself.  Apparently this is a bug that hasn’t been resolved yet.  I had to backup and delete my client certificates to login.  This is not going to fly..

Second issue, it doesn’t automatically accept those who can run sudo commands as authorized users of the system.  I had to reset the root login and give the admin group that administrator role.

Third issue.. the HGFS module does not compile.  At least I do not need shared folders on here.

Forth Issue..The remote console plugin for Firefox does not work with 3.0.1.  I had to adjust it manually so it would.

Fifth Issue..the performance really sucks.  Slow, buggy.. a couple of times I got an error that said my console session was rejected.  No Permission To View The Console.. WFT.  I restarted the vmware services on the host and it started working.

Sixth Issue.. Shutting down the guest did not power off the VM until the tools were upgraded.  – I don’t mind they don’t fully function, but I would consider that one to be pretty important.  I had to manually kill the process before the web interface would let me do anything.

NOTE:  Before the paravirtualization option can be enabled (from the advanced options tab in the vm configuration) you have to have the upgrade tools installed and running and then shutdown the guest.  So.. install, reboot, shutdown.

NOTE 2: The server is using self-signed certificates for SSL encryption.  This means an exception will have to be made in Firefox to get to the site.

After all of this fun, I finally enabled the paravirtualization option and powered back on.  Much to my dismay the kernel was checking every SCSI ID on the device to see if it could find anything.  10-15 seconds per ID and 15 usable IDs on a wide SCSI chain.

At this time.. I just powered off and turned off the option.  I will build a new VM to try out the setting and migrate it over as the ‘prod’ box if I am happy with the performance.

I am definitely not happy about the resource usage of the web interface either..  formery console access used zero resources on my server.. now the web interface is using 1% CPU and 3% MEM.  While this isn’t much, I wasn’t giving up anything previously.  This is a serious step backwards..

I was perusing the interweb a few days ago and I stumbled across an interesting statement. (I don’t have the link anymore.). The gist was, you could bridge VMWare Guest NIC to a host adapter that has no IP address. The security implications are what caught my attention. So I started digging a little further and I found it was true and then I managed to work a little bit of magic to make it happen!

Here is the scenario..

ServerLAN is an Ubuntu Server host running VMWare Server. 2 physical NICs bound to 2 bridged networks. NIC1 is attached to the private LAN, NIC 2 is attached to the DMZ. These networks are isolated by a firewall.

ServerDMZ is an Ubuntu Server guest Virtual Machine. 1 Virtual NIC

The idea is to isolate ServerDMZ from the private network and ServerLAN from the DMZ.

I had all of this working with a public IP on the ServerDMZ virtual NIC, DMZ private IP on NIC 2, and the LAN Private IP on NIC1. The problem with this setup is, my host was accessible from the DMZ. With proper blocking.. namely drop all traffic to and from that interface, it wasn’t much of a concern. But the IP was still there. So I did a little Ubunutu /etc/network/interfaces magic.
mapping eth0 eth1
script /etc/network/get-mac-address.sh
map 01:23:45:67:89:01 NIC1
map AB:CD:EF:GH:IJ:KL NIC2
iface lo inet loopback
iface NIC1 inet static
address 192.168.1.2
broadcast 192.168.1.255
netmask 255.255.255.0
network 192.168.1.0
gateway 192.168.1.1
metric 100
iface NIC2 inet manual
up ifconfig $IFACE up
down ifconfig $IFACE down

To break this down..
mapping eth0 eth1
script /etc/network/get-mac-address.sh
map 01:23:45:67:89:01 NIC1
map AB:CD:EF:GH:IJ:KL NIC2
This section is protection verses kernel updates causing my NICs from being brought up in a different order. The script get-mac-address.sh basically greps the interface for the MAC and then assigns the label NIC1 or NIC2 depending on the MAC returned.
iface lo inet loopback
This brings up the loopback interface.
iface NIC1 inet static
address 192.168.1.2
broadcast 192.168.1.255
netmask 255.255.255.0
network 192.168.1.0
gateway 192.168.1.1
metric 100
This brings up my private network NIC. Does all of the necessary mappings.

Side Note:If you have two NICs with gateways listed, you can supply the metric line to give one a priority. If they are the same, your system will be unable to decide which route to take and take none.
iface NIC2 inet manual
up ifconfig $IFACE up
down ifconfig $IFACE down
This final section is how you bring up the interface with out an IP address. It also allows you to set permiscious mode, etc.

Instructions for the interfaces file can be found file:///usr/share/doc/ifupdown as well as the get-mac-address.sh script from the examples sub-folder.