s9y testdrive

Terminal Server Patch

2010-08-27T13:49:46Z

There's a nice patch for WindowsXP Pro SP3 to enable concurrent RDP sessions. For your (and my) convenience, here are the files again:

$ ls -lgo termsrv.* 
-rwxr--r-- 1 295424 2010-08-26 15:47 termsrv.dll
-rwxr--r-- 1 295424 2008-04-13 17:12 termsrv.bk1

$ md5sum termsrv.*
56f4867bae6fd78e5365a3a7afa59c82  termsrv.dll
ff3477c03be7201c294c35f684b3479f  termsrv.bk1

After patching termsrv.dll (and backing up the original, and escaping Windows File Protection), we still have to add a new registry key:

  HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core\
  EnableConcurrentSessions=1 (DWORD)

Reboot, and we should be done.

How to remove the popup ads in Avira Antivir

2010-08-27T09:21:47Z

When working with certain systems one might have to install some antivirs software. The Personal Edition of Avira Antivir does its job pretty well, I think: at least I feel safer by having some magic virus catcher installed :-) However, every time Antivir gets its (daily) updates, a nag screen pops up. Here's how to disable this popup ad:

Start, Run, secpol.msc
Right click "Software Restriction Policies," choose "New Software Restriction Policies"
Right Click "Additional Rule" folder, click "New Path Rule"
Where it says Path, Type the path of avnotify.exe on your computer
Make sure the "Security Level" Dropdown menu is selected as "Disallowed"

This should be it. Thanks, Wikihow editors :-)

Dnsmasq fun

2010-07-23T14:06:07Z

Ever wanted to setup a forwarding DNS for just one zone with Dnsmasq in DD-WRT? Here's how:

   server=/example.com/10.0.0.1

This will forward requests for *.example.com to 10.0.0.1. While we're on it, how about static DNS entries (w/o using DHCP) in DD-WRT? It's as easy as:

  address=/foo.example.com/f00.example.com/10.0.0.3
  address=/bar.example.com/b4r.example.com/10.0.0.4

Encrypted /home with Ubuntu 10.04

2010-07-06T22:19:06Z

This has troubled me for quite some time now:

# adduser --encrypt-home foo
[...]
foo$ cat README.txt 
THIS DIRECTORY HAS BEEN UNMOUNTED TO PROTECT YOUR DATA.

From the graphical desktop, click on:
 "Access Your Private Data"
or
From the command line, run:
 ecryptfs-mount-private

foo$ ecryptfs-mount-private 
ERROR: Encrypted private directory is not setup properly

When adding the user via the GUI it did not work either :-\ Turns out, I had to reinstall, again:

# apt-get purge ecryptfs-utils libecryptfs0 keyutils \
          libpam-encfs encfs librlog5 libboost-*
# apt-get install libpam-encfs ecryptfs-utils

# adduser --debug --encrypt-home foo
Adding user `foo' ...
Selecting UID from range 1000 to 29999 ...
Selecting GID from range 1000 to 29999 ...
Adding new group `foo' (1001) ...
/usr/sbin/groupadd -g 1001 foo
Adding new user `foo' (1001) with group `foo' ...
/usr/sbin/useradd -d /home/foo -g foo -s /bin/bash -u 1001 foo
Creating home directory `/home/foo' ...
Setting up encryption ...
/usr/bin/ecryptfs-setup-private -b -u foo
************************************************************************
YOU SHOULD RECORD YOUR MOUNT PASSPHRASE AND STORE IT IN A SAFE LOCATION.
  ecryptfs-unwrap-passphrase ~/.ecryptfs/wrapped-passphrase
THIS WILL BE REQUIRED IF YOU NEED TO RECOVER YOUR DATA AT A LATER TIME.
************************************************************************
[...]

foo$ mount | tail -1
/home/foo/.Private on /home/foo type ecryptfs (ecryptfs_sig=521cef411f2c84b1, \
ecryptfs_fnek_sig=44158dfbb2100d2f,ecryptfs_cipher=aes,ecryptfs_key_bytes=16)

foo$ df -h .
Filesystem            Size  Used Avail Use% Mounted on
/home/foo/.Private    9.4G  2.9G  6.1G  32% /home/foo

rsyslog: imklog: Cannot open proc file system

2010-07-06T18:17:33Z

For some time now rsyslog was not logging kern.* messages any more on this Ubuntu system:

Jul  6 18:07:08 len kernel: imklog: Cannot open proc file system, 2.
Jul  6 18:07:08 len rsyslogd: [origin software="rsyslogd" ...] (re)start

It has been upgraded from 9.10, and LP#401433 seems to suggest that some upgrade broke imklog. The fix suggested there would involve the following commands, but since my /var/run is a

tmpfs, I'd have to have this executed after every reboot (and before rsyslog starts):

  mkdir -m0700 -p /var/run/rsyslog
  chown syslog:syslog /var/run/rsyslog
  mkfifo -m 600 /var/run/rsyslog/kmsg
  chown syslog:syslog /var/run/rsyslog/kmsg
  start-stop-daemon --start --pidfile /var/run/rsyslog/kmsgpipe.pid \
                    --exec /bin/dd -b -m -- if=/proc/kmsg of=/var/run/rsyslog/kmsg


The "real" fix here was to apply a bit of Windows-fu *) to this setup and reinstall rsyslog :-\



*) The three Rs of Microsoft support: Retry, Reboot, Reinstall



Partition Alignment Linkdump
2010-07-05T18:17:00Z

                

Partition Alignment Guidelines for Unified Storage (July 01, 2010)

Recommendations for Aligning VMFS Partitions (Feb 03, 2004), obsoleted by Performance Best Practices for VMware vSphere 4.0 (July 30, 2009)

VMware Disk Alignment (April 09, 2009)

VMware I/O Problems (May 20, 2006)
 
            


Mounting VirtualBox VDI images on a MacOS X host
2010-06-25T17:06:15Z

                During all this VirtualBox hackery stuff I came across an interesting blogpost on how to mount a VirtualBox VDI in MacOS X. That is, we don't really want to mount it, we merely want to access the VDI file via a blockdevice. In GNU/Linux or Solaris one would use losetup resp. lofiadm to attach any file to a blockdevice.


In MacOS X there's hdid. By default, hdid not only tries to assign a blockdevice to the file but it tries to mount it too. We don't want this, so we use -nomount:

$ hdid -nomount linux.vdi 
hdid: attach failed - not recognized


Still, hdid failed. The blogpost above helped, we have to use the magic .img extension for the filename, oh well:

$ ln linux.vdi linux.img
$ hdid -nomount linux.img
/dev/disk3


However, we're still not entirely satisfied. Our linux.vdi contains a whole virtual disk (partition table + partion), so let's apply the blogpost above to our disk. Read the post again to understand what we do here:

$ hexdump -C linux.vdi | grep -m1 ^00000150
00000150  00 00 00 00 00 02 00 00  00 22 00 00 00 00 00 00  |........."......|
$ echo 'obase=16; 512; ibase=16; 2200 / 200' | bc
200
11


Now that we have the offset to our disk, we can instruct hdid to just attach this disk (minus the VDI header):

$ hdid -section 0x11 -nomount linux.img 
/dev/disk3              FDisk_partition_scheme
/dev/disk3s1            Linux
$ file -s /dev/disk3*
/dev/disk3:   x86 boot sector; partition 1: ID=0x83, starthead 1, startsector 63 [...]
/dev/disk3s1: Linux rev 1.0 ext4 filesystem data (extents) (large files) (huge files)


Now we could even fsck our virtual Linux partion from MacOS, hey! :-) 
            


Virtualbox: How to resize a VDI disk
2010-06-21T22:50:39Z

                Resizing virtual disks (VDI, Virtual Disk Image) in Virtualbox is still not possible*). There are several rather long tutorials out there how to do this, that's the short version of it:


Create a new VDI disk of desired size. We've created a 2GB deb02.vdi, as our 1GB deb01.vdi was too small.


Create a new VM, attach both the old (too small) and new (bigger, but still empty) disk to the VM, boot from a bootable CD, e.g. grml.


Once booted, we transfer the old disk (sda) to the new, bigger one (sdb):
    $ dd if=/dev/sda of=/dev/sdb bs=1M
  $ sfdisk -R /dev/sdb
  
Yes, that's right. We're just copying the whole disk (with its partition table!) to the new disk. I tried to just copy the partition and make it larger with GNU/parted, but it kept barking about unsupported flags on the ext4 partiton (sdb1) and whatnot and I gave up quickly. Anyway, now we have a 2GB sdb with the partitiontable from sda, that is: sdb1 is still 1GB in size, 1GB is unallocated space.


Luckily our disklayout was easy enough (and we had a simple MS-DOS partition-table). Thus, we just started cfdisk, deleted sdb1 and created a new sdb1, but filling out the whole disk (2GB).


$ sfdisk -R /dev/sdb again to re-read the partition-table.


Now that our partition is in good shape, we need to enlarge the peni^W filesystem as well:
     $ e2fsck -vf /dev/sdb1
   $ resize2fs -p /dev/sdb1
  
We might have to mount /dev/sdb1 for this, I don't remember.




If all goes well, we should now have a perfectly good sdb, so we could go on and replace the small deb0.vdi VDI disk with the bigger one, deb1.vdi.

I've done this a few days ago and I already forgot wether I had to re-install the bootloader. But I'm sure you'll find out if you have to :-)




*) as opposed to e.g. VMware, where it  should be possible to resize a virtual disk. I've even done it once :-) 
            


Migrating from VMware Server via OVF
2010-06-08T22:08:00Z

                After manually migrating a VMware VM to Virtualbox and all the hackery involved (although it was fun to learn), we need to remember that we should be able to accomplish the same with the help of OVF, the Open Virtual Machine Format. With that, things are a lot easier. Let's export that WindowsXP VMware-Server VM again, so that I can deploy it in a VMware-ESX Server later on:

# ls -lgho *vmx* *vmdk
-rwxr-xr-x 1 2.0K 2010-06-22 21:54 winxp.vmx
-rw-r--r-- 1  278 2010-05-15 00:32 winxp.vmxf
-rw-r--r-- 1 6.0G 2010-06-08 00:22 winxp-flat.vmdk
-rw-r--r-- 1  435 2010-06-07 23:44 winxp.vmdk

# time ovftool winxp.vmx winxp.ovf
Opening VMX source: winxp.vmx
Opening OVF target: winxp.ovf
Target: winxp.ovf
Disk Transfer Completed         
Completed successfully

real    13m25.328s
user    7m56.998s
sys     1m32.942s

# ls -lgho *vmx* *vmdk
[...]
-rw-r--r-- 1 3.1G 2010-06-22 22:07 winxp-disk1.vmdk
-rw-r--r-- 1 4.4K 2010-06-22 22:07 winxp.ovf
-rw-r--r-- 1  123 2010-06-22 22:07 winxp.mf


Note that our 6GB winxp-flat.vmdk has been converted to a 3.1GB winxp-disk1.vmdk:

# file winxp-flat.vmdk winxp-disk1.vmdk
winxp-flat.vmdk:      x86 boot sector, Microsoft Windows XP MBR
winxp-disk1.vmdk:     VMware4 disk image


Now we can logon to our ESX Server an deploy the winxp.ovf. We should be able to import the same VM into VirtualBox (supported since v2.2.0), I did not try it though. So yeah, OVF FTW, hm? :) 
            


Migrating from VMware Server to VirtualBox
2010-06-05T23:37:15Z

                Even though VMware Server was working fine with Ubuntu 10.04 (apart from random lockups without a backtrace in sight to debug with), I was kinda unhappy with all the hoops one has to go through just to get a virtual machine going. The kernel modules might break on the next upgrade and are tainting the kernel unnecessarily. Fortunately today we have a few virtualization options to pick from and I chose VirtualBox for this particular setup, as it seemed to be the easiest migration path. Let's begin with installing the prerequisites:



# apt-get install virtualbox-ose virtualbox-ose-dkms qemu


Then we had to convert our 2GB-split VMware VMDK files into a single VMDK file, otherwise qemu-bin would produce empty raw files in the 2nd step:



# vmware-vdiskmanager -r orig/test.vmdk -t 2 test.vmdk
# qemu-img convert -O raw test-flat.vmdk test.raw

# VBoxManage convertfromraw test.raw test.vdi
Converting from raw image file="test.raw" to file="test.vdi"...
Creating dynamic image with size 2147483648 bytes (2048MB)...

# ls -lgo *vmdk *raw *vdi
-rw------- 1 2147483648 2010-06-05 18:17 test-flat.vmdk
-rw-r--r-- 1 2147483648 2010-06-05 18:28 test.raw
-rw------- 1 1676681728 2010-06-06 12:50 test.vdi
-rw------- 1        432 2010-06-05 18:17 test.vmdk


Somehow VBoxManage cannot convert VMDK images directly, hence the qemu-img step. All these conversions will take a while, depending on image-size and diskspeed. There's no progress-bar, so just be patient.

With our VDI image now in place, we can register it to VirtualBox:

# VBoxManage openmedium disk test.vdi
# VBoxManage list hdds
UUID:       ddaaf826-3d25-48d6-9b2a-1afefdd3350f
Format:     VDI
Location:   /data/vbox-vm/test/test.vdi
Accessible: yes
Type:       normal


Now for the actual virtual machine creation. It's important to create the new machine with the same/similar hardware as the initial VMware instance was configured with, so that the guest OS won't be too suprised about the "new" hardware, i.e. storage- or network-controllers.

# VBoxManage createvm --ostype Debian --register --name "test" \
   --basefolder `pwd`
# VBoxManage modifyvm test --memory 128 --audio none \
   --boot1 disk --clipboard disabled
# VBoxManage modifyvm test --pae off --hwvirtex off \
  --hwvirtexexcl off --nestedpaging off --vtxvpid off
# VBoxManage modifyvm test --nic1 bridged --bridgeadapter1 eth1 \
  --nictype1 Am79C970A --macaddress1 000c291ac243


I've disabled any kind of hardware virtualization features, as the host-CPU is too old and doesn't support it anyway. Also, I used the MAC address of the VMware VM, so that the guest-OS will (hopefully) receive its known DHCP address.

Now for the storage devices. Again, try to use the same controller as configured in the VMware server (see the .vmx file of the old VMware instance). Also, we're attaching the virtual harddisk from above to our virtual machine.

# VBoxManage storagectl test --name "SCSI Controller" \
   --add scsi --controller LsiLogic
# VBoxManage storageattach test --storagectl "SCSI Controller" \
   --port 0 --device 0 --type hdd --medium ddaaf826-3d25-48d6-9b2a-1afefdd3350f


Having done that, it should look like this:

# VBoxManage list -l vms | egrep 'Control|MAC'
Storage Controller Name (0):            SCSI Controller
Storage Controller Type (0):            LsiLogic
Storage Controller Instance Number (0): 0
Storage Controller Max Port Count (0):  16
Storage Controller Port Count (0):      16
SCSI Controller (0, 0): /data/vbox-vm/test/test.vdi 
        (UUID: ddaaf826-3d25-48d6-9b2a-1afefdd3350f)
NIC 1:           MAC: 000C291AC243, Attachment: Bridged Interface \
                    'eth1', Cable connected: on, Trace: off (file: none), \
                    Type: Am79C970A, Reported speed: 0 Mbps


Now our virtual machine should be able to start just fine:

# VBoxHeadless -s test


You probably want to remove the VMware tools from the guest (vmware-uninstall-tools.pl) and tweak your startscripts to start your VM during bootup.

Oh, and if the machine just won't start up, we can still cheat and install the VirtualBox GUI:

# apt-get install virtualbox-ose-qt tightvncserver xfonts-base wm2


Update: Migrating a WindowsXM VM from VMware to Virtualbox was equally straightforward, but I could not get the NIC type right. Neither Am79C970A (PCnet-PCI II) nor Am79C973 (PCnet-FAST III) seemed equal to the VMware Accelerated AMD PCNet Adapter in VMware. So I had to use the VirtualBox GUI again, as VirtualBox OSE does not ship with RDP support to connect to. Also, the Ubuntu/Lucid version does not ship with VNC support, yet. Here are the commands for the WindowsXP VM again:

# VBoxManage createvm --ostype WindowsXP --register --name winxp --basefolder `pwd`
# qemu-img convert -O raw ../../vmware-vm/winxp/winxp-static-flat.vmdk winxp.raw
# VBoxManage convertfromraw winxp.raw winxp.vdi
# VBoxManage openmedium disk winxp.vdi
# VBoxManage modifyvm winxp --memory 256 --audio none --boot1 disk \
                     --clipboard disabled --pae off --hwvirtex off --hwvirtexexcl off \
                     --nestedpaging off --vtxvpid off --nic1 bridged \
                     --bridgeadapter1 eth1 --nictype1 Am79C970A \
                     --macaddress1 000c11b9c19c
# VBoxManage storagectl winxp --name "IDE Controller" --add ide --controller PIIX4
# VBoxManage storageattach winxp --storagectl "IDE Controller" --port 0 --device 0 \
                       --type hdd --medium a6723e4d-2caa-433d-91ec-f67238ff36a9
 
            



iStat Menus alternative?
2010-05-22T16:44:59Z

                For quite some time now I'm using iStat Menus (now by Bjango). With its latest version 3, it's now a paid app and one is urged to upgrade for $16. I don't mind the price so much, but the only reason (for me!) to upgrade would be a fix to one particular bug, the rest is just bloat I won't need anyway. With that being the case, I'm now looking for alternative programs for the features I'm currently using:


smcFanControl - displays temperature and fanspeed in the menubar. It even offers to tweak the fanspeed (why would I want to do this??) but it doesn't display all the other sensors available. However it's opensource, so a big plus here!



MenuMeters - displays CPU and network load (also disk and memory, but I don't need that). Seems clean and simple enough. And it's free (not only as in "beer") too!



The only feature left is the clock from iStat Menus where you can have different timezones displayed and a calendar on top. But maybe I finally have to make friends with the dashboard now. Oh well... 
            


Exim4 with clamd
2010-05-18T23:02:04Z

                Either my Xen DomU gets slower or my MTA keeps getting busier. But when looking at the stats I could see that a lot of clamscan have been spawned on every fetchmail. Nothing unusual, this is how it always worked. But to be honest, the setup was rather inefficient, to say the least: for every incoming mail, maildrop spawns a clamscan process, sometimes more than one in parallel. ps(1) shows, for just one process:

 PID  %MEM    RSS    SZ    VSZ  COMMAND
 8749 12.8 164500 49081 196324 clamscan


So, one process needs 12.8% of the systems memory, with just 5 process we're at 64% - and the box was indeed swapping heavily. So I finally got around *) to move the virus-scanning to Exim and let it speak to clamd instead:


/etc/exim4/conf.d/main/02_exim4-config_options
     +av_scanner = clamd:/var/run/clamav/clamd.ctl


/etc/exim4/conf.d/acl/40_exim4-config_check_data
     +  warn
     +    message = X-Virus-Status: Infected
     +    demime  = *
     +    malware = *


Note: I chose warn over deny here - I still want to have those viruses, 
I just want to have it annotated :-)



/etc/clamav/clamd.conf
     User clamav
     AllowSupplementaryGroups true
     LocalSocketGroup Debian-exim
     LocalSocketMode 0660



For Debian/5.0, I also had to:

# usermod -G Debian-exim clamav
# mkdir -m0770 /var/spool/exim4/scan
# chown Debian-exim:Debian-exim /var/spool/exim4/scan


With all this in place (plus disabling the clamscan directives in .mailfilter), the box is far less loaded now. According to ps(1), our single clamd now goes sometimes up to 16%, but that's still just one process and better than those >60% before.



Btw, if you want to test your email AV setup and your mailprovider doesn't even allow the sending of the Eicar Test File, try this instead.



Update: And it helped indeed, see the loadavg going down after changing the configuration to use clamd now. Phew, now I wonder why I haven't done this earlier....



*) I hate MTA configurations, I really do :-\ 
            


Notice of Claim of Copyright Infringement, pt. II
2010-05-16T03:52:00Z

                Almost to the hour two months after the last email ("Harry Potter Audio Books", yeah...right) I got contacted again. This time someone thinks I'm distributing "Iron Man 2" (again, srsly?). The Tor legal FAQ was helpful as always, so...let's see how this one pans out - if it does anything at all, I haven't gotten any reply to the first letter yet (apart from a Zimbra-mangled auto-reply). Is this a good sign? No? 
            


svn: Repository moved permanently; please relocate
2010-05-13T18:48:19Z

                Apparently, ispCP has changed its repository URL (why :800? Think of the children^Wfirewalls!), leading to:

$ svn update
svn: Repository moved permanently to 'http://isp-control.net/ispcp_svn/trunk' ; \
please relocate


Luckily, svn switch is here to help, the magic command to resolve this one was:

$ svn switch --relocate \
  http://www.isp-control.net/ispcp_svn http://isp-control.net:800/ispcp_svn .

$ svn info | grep -A1 ^URL
URL: http://isp-control.net:800/ispcp_svn/trunk
Repository Root: http://isp-control.net:800/ispcp_svn
 
            


That's When I Reach For My Resolver
2010-05-11T18:24:03Z

                So, the primary nameserver is down but luckily /etc/resolv.conf has been equipped with a secodary nameserver entry - great! And nslookup works like a charm too, heh! But all the other useful tools are waiting for ages until they'll get a response from the backup server - why is that?

$ time ping eve
eve is alive

real    0m30.045s
user    0m0.007s
sys     0m0.018s


Other than e.g. nslookup, the normal applications have to use the the resolver(4) to get their name requests answered. Now, we could cheat and put our backup server before the faulty one, but let's see if we can tackle this from a different angle. resolv.conf(4) was most helpful, of course:

options
   Allows certain internal resolver variables to be modified.

timeout:n / retrans:n
   Sets the amount of time the resolver will wait for a response from a remote 
   name server before retrying the query by means of a different name server.
   Measured in seconds, the default is RES_TIMEOUT. See 

attempts:n / retry:n

   Sets the number of times the resolver will send a query to its name 
   servers before giving up and returning an error to the calling application.
   The default is RES_DFLRETRY. See .


In our resolv.h (Solaris 10) we have :

$ egrep 'RES_TIMEOUT|RES_MAXRETRANS|RES_DFLRETRY' /usr/include/resolv.h
#define RES_TIMEOUT         5      /* min. seconds between retries */
#define RES_MAXRETRANS     30      /* only for resolv.conf/RES_OPTIONS */
#define RES_DFLRETRY        2      /* Default #/tries. */



So, let's tweak those options:

$ grep options /etc/resolv.conf 
options timeout:1 retry:1

$ time ping trent
trent is alive

real    0m7.794s
user    0m0.007s
sys     0m0.018s


Whooha, not bad. 

$ grep options /etc/resolv.conf 
options timeout:1 retry:0

$ time ping mallory
mallory is alive

real    0m2.100s
user    0m0.007s
sys     0m0.018s


Even better. Of course, one has to realize that with zero retries the resolver will jump to the next nameserver on the first failure - so, if our backup server is a bit sleepy we won't get a reply at all.

If you enable nscd, subsequent requests to the same name will be answered instantly:

$ sudo svcadm enable svc:/system/name-service-cache
$ time ping mallory
mallory is alive

real    0m3.218s
user    0m0.007s
sys     0m0.018s

$ time ping mallory
mallory is alive

real    0m0.198s
user    0m0.007s
sys     0m0.017s