I’ve had issues before with OpenFiler where doesn’t update the permissions, although they appear correct in the UI. To rectify that, I stumbled upon a one liner that fixed it. Let’s say you have a group called “Trusted” that you want to have full access to your music folder. Here’s the one-liner:
[root@files data]# pwd
/mnt/openfiler/data
[root@files data]# setfacl --recursive -m u:nobody:rwx,g:Trusted:rwx music
I found VMWare Server to have very slow I/O, and sought to improve it. Below are a list of tests I performed, the change, and the results.
### Host OS ###
/dev/sdb1:
Timing buffered disk reads: 220 MB in 3.05 seconds = 72.17 MB/sec
kelvin@gorilla:~$ sudo hdparm -t /dev/sdb1
/dev/sdb1:
Timing buffered disk reads: 266 MB in 3.01 seconds = 88.33 MB/sec
kelvin@gorilla:~$ sudo hdparm -t /dev/sdb1
/dev/sdb1:
Timing buffered disk reads: 310 MB in 3.01 seconds = 102.99 MB/sec
### Before Changes ###
/dev/mapper/openfiler-data:
Timing buffered disk reads: 8 MB in 3.36 seconds = 2.38 MB/sec
[root@files etc]# hdparm -t /dev/mapper/openfiler-data
/dev/mapper/openfiler-data:
Timing buffered disk reads: 24 MB in 3.63 seconds = 6.61 MB/sec
[root@files etc]# hdparm -t /dev/mapper/openfiler-data
/dev/mapper/openfiler-data:
Timing buffered disk reads: 28 MB in 4.54 seconds = 6.16 MB/sec
I made several changes, but the changes that seemed to have the most impact are below:
vm.dirty_background_ratio = 5
vm.dirty_ratio = 10
vm.swappiness = 0
Pop this into the virtual machine’s .vmx file, reboot, and off you go. One unfortunate side effect is that you can no longer overload the memory (e.g. allocate more memory with the VMs than you actually have available).
### After Changes ###
/dev/mapper/openfiler-data:
Timing buffered disk reads: 52 MB in 3.13 seconds = 16.61 MB/sec
[root@files ~]# hdparm -t /dev/mapper/openfiler-data
/dev/mapper/openfiler-data:
Timing buffered disk reads: 82 MB in 3.31 seconds = 24.75 MB/sec
[root@files ~]# hdparm -t /dev/mapper/openfiler-data
/dev/mapper/openfiler-data:
Timing buffered disk reads: 118 MB in 3.19 seconds = 36.97 MB/sec
[root@files ~]# hdparm -t /dev/mapper/openfiler-data
/dev/mapper/openfiler-data:
Timing buffered disk reads: 144 MB in 3.32 seconds = 43.37 MB/sec
[root@files ~]# hdparm -t /dev/mapper/openfiler-data
/dev/mapper/openfiler-data:
Timing buffered disk reads: 160 MB in 3.10 seconds = 51.57 MB/sec
UPDATE: Those wanting all the speed and still want to use memory overloading, I’d suggested you give ESXi a try. So far, so good.
## With ESXi, same hardware ##
[root@files ~]# hdparm -t /dev/mapper/openfiler-data
/dev/mapper/openfiler-data:
Timing buffered disk reads: 200 MB in 3.18 seconds = 62.92 MB/sec
I rank OSSEC as one of my favorite pieces of open source software, and finally decided to play around with it more in my own free time. (Yup, I do this sort of stuff for fun). My goal was quite simple: send syslog packets from my Cisco to my “proxy” server, running OSSEC. I found that, although OSSEC supports Cisco IOS logging, it didn’t really work. In fact, I couldn’t find any examples or articles of anybody actually getting it to work.
I initially tried to get it to work “correctly,” and soon settled to “just getting it to work.” I implemented some rules in the local_rules.xml file, which worked, but I’m pretty stubborn, and wanted to do it “correctly.” With a couple pots of tea I became much, much more familiar with OSSEC. The key (and a lot of credit) goes to Jeremy Melanson for hinting at some of the updates to the decoder.xml file that need to take place.
The first step is to read the OSSEC + Cisco IOS wiki page. Everything on that page is pretty straight forward. I then added three explicit drop rules at the end of my Cisco’s ACL:
...
access-list 101 deny tcp any host 220.244.xxx.xxx log
access-list 101 deny ip any host 220.244.xxx.xxx log
access-list 101 deny udp any host 220.244.xxx.xxx log
(220.244.xxx.xxx is my WAN IP, and I’m sure you could figure out xxx.xxx pretty darn easily, but I’ll x them out anyways).
To reiterate, OSSEC needs to be told to listen for syslog traffic, which you should be set on the Cisco. If you haven’t done this, go re-read the wiki above.
<remote>
<connection>syslog</connection>
<allowed-ips>192.168.0.1</allowed-ips>
</remote>
On or around line 1550 in /var/ossec/etc/decoder.xml I needed to update the regex that was used to detect the syslog stream.
...
<decoder name="cisco-ios">
<!--<prematch>^%\w+-\d-\w+: </prematch>-->
<prematch>^%\w+-\d-\w+: |^: %\w+-\d-\w+:</prematch>
</decoder>
<decoder name="cisco-ios">
<program_name>
<!--<prematch>^%\w+-\d-\w+: </prematch>-->
<prematch>^%\w+-\d-\w+: |^: %\w+-\d-\w+: </prematch>
</program_name></decoder>
<decoder name="cisco-ios-acl">
<parent>cisco-ios</parent>
<type>firewall</type>
<prematch>^%SEC-6-IPACCESSLOGP: |^: %SEC-6-IPACCESSLOGP: </prematch>
<regex offset="after_prematch">^list \d+ (\w+) (\w+) </regex>
<regex>(\S+)\((\d+)\) -> (\S+)\((\d+)\),</regex>
<order>action, protocol, srcip, srcport, dstip, dstport</order>
</decoder>
...
In the general OSSEC configuration file, re-order the list of rules. I had to do this because syslog_rules.xml includes a search for “denied”, and that triggers an alarm.
...
<include>telnetd_rules.xml</include>
<include>cisco-ios_rules.xml</include>
<include>syslog_rules.xml</include>
<include>arpwatch_rules.xml</include>
...
Remember that these dropped events will go into /var/ossec/logs/firewall/firewall.log. Because this is my home connection, and I don’t have any active_responses configured (yet!), I tightened the firewall_rules.xml file (lowering the frequency, raising the timeframe).
And in the end, I get a pretty email when somebody tries to port scan me.
OSSEC HIDS Notification.
2008 Nov 15 23:19:36
Received From: proxy->xxx.xxx.xxx.xxx
Rule: 4151 fired (level 10) -> "Multiple Firewall drop events from same source."
Portion of the log(s):
: %SEC-6-IPACCESSLOGP: list 101 denied tcp 4.79.142.206(36183) -> 220.244.xxx.xxx(244), 1 packet
: %SEC-6-IPACCESSLOGP: list 101 denied tcp 4.79.142.206(36183) -> 220.244.xxx.xxx(253), 1 packet
: %SEC-6-IPACCESSLOGP: list 101 denied tcp 4.79.142.206(36183) -> 220.244.xxx.xxx(243), 1 packet
: %SEC-6-IPACCESSLOGP: list 101 denied tcp 4.79.142.206(36183) -> 220.244.xxx.xxx(254), 1 packet
--END OF NOTIFICATION
As you can tell from reading some of the other pages, I like Linux and open source. But I also like to answer the question “what if…” This post is my [brief] run down of answering “what if I could run Django on Server 2003 with SQL Server and IIS.” Why, you may ask? To be honest with you, at this point, I don’t really know. One of the deciding factors was seeing that the django-mssql project maintains support for inspectdb, which means I could take a stock 2003 server running SQL Server, inspect the DB, and build a web app on top of it. The Django docs offer a lengthy howto for using Django with IIS and SQL Server, but the website for PyISAPIe seems to have been down for the last month or so. Without further delay, below are my notes on installing Django with SQL Server and IIS.
1a) Install python-2.x.x.msi from python.org
1b) Consider adding C:\Python25\ to your Path (right click My Computer, Advanced, Environment Variables. Enter in blahblahblah;C:\Python25\)
3a) Extract the contents of the Django. From inside Django-1.0, execute:
C:\Python25\python.exe setup.py install
3b) Consider adding C:\Python25\Script to your path.
4) Look in C:\Python25\Lib\site-packages – confirm there is a Django package.
5) Checkout django-mssql (http://code.google.com/p/django-mssql/), copy sqlserver_ado from inside source to the site-packages directory
6) Download and install PyWin32 from sf.net
7) Start a test project in C:\Inetpub\ called ’test'
c:\Python25\scripts\django-admin.py startproject test
8a) Create a database using SQL Management Studio, create a user. (First, go to the Security dropdown. Right click Logins, add a new user. Next, right click Databases, New Database. Enter in the name, and change the owner to the user you just created).
8b) Edit the settings.py and add ‘sqlserver_ado’ and add database credentials. Use the below example if your database comes up in the Studio as COMPUTERNAME\SQLEXPRESS (you are using SQLExpress).
import os
DATABASE_ENGINE = 'sqlserver_ado' # 'postgresql_psycopg2', 'postgresql', 'mysql', 'sqlite3' or 'oracle'.
DATABASE_NAME = 'crmtest' # Or path to database file if using sqlite3.
DATABASE_USER = 'crmtest' # Not used with sqlite3.
DATABASE_PASSWORD = 'password' # Not used with sqlite3.
DATABASE_MSSQL_REGEX = True
DATABASE_HOST = os.environ['COMPUTERNAME'] + r'\SQLEXPRESS' # I use SQLEXPRESS
DATABASE_PORT = '' # Set to empty string for default. Not used with sqlite3.
python setup.py install
10a) Download pyisapi-scgi from http://code.google.com/p/pyisapi-scgi/
10b) Extract the files to somewhere you can remember on your computer, like, c:\scgi
11) Double click pyisapi_scgi.py
12a) Follow the directions here: http://code.google.com/p/pyisapi-scgi/wiki/howtoen – I set a temporary different port since I’m just testing this out.
12b) The last few parts might be better served with an image or two:
(No resource/photo)
(No resource/photo)
(No resource/photo)
13) Start the scgi process from the Django folder directory
python manage.py runfcgi method=threaded protocol=scgi port=3033 host=127.0.0.1
(No resource/photo)
I’m always forgetting the exact string to enter at the CLI for updating the IOS on a wireless Cisco AP, so I’ll just put it here to end my future searches:
Chimp# archive download-sw /force-reload /overwrite tftp://192.168.83.150/c1100-k9w7-tar.123-8.JEC1.tar
192.168.83.150 obviously being your tftp server, and the .tar file sitting in the root of the tftp server.
I suppose if you wanted to backup your IOS you could do something along the lines of:
Chimp# archive upload-sw tftp://192.168.83.150/someimage.tar
But I haven’t tried it…
Backing up your Openfiler box to S3
While I don’t think most pople would expect to backup their entire NAS/SAN to Amazon’s S3, there might be a few very crucial things you need to backup.
I’ve seen an implementation using Ruby and s3sync – something that I do on my server – but I’m trying to migrate everything to Python. Although there are a lot of great tools out there for S3, many of them Python-based, I wanted to do one thing and do it well: have one complete full backup available, and using as little bandwidth as possible. In these regards Duplicity would work well, except I wanted the ability to browse the S3 store using any other tool.
I’ve digged deeper into s3cmd, which I had noticed a long time ago, but I failed to notice it has a sync option. I have tested it out, and it appears to work very, very well. Here’s how to use it with OF.
First, download s3cmd. You’ll need to use subversion, so I first checked it out to my laptop, then uploaded it via SSH to OF. I put my s3cmd folder in /opt.
[root@files opt]# ls
openfiler s3cmd
[root@files opt]#
If you don’t have elementtree installed, now is a good time to install it.
conary update elementtree:python
We need to next configure s3cmd with our AWS creds.
[root@files s3cmd]# ./s3cmd --configure
In the end I didn’t configure encryption for my files (so just hit enter), but you may choose to do so. I have configured the transfer to use HTTPS, however.
Save settings? [y/N] y
Configuration saved to '/root/.s3cfg'
Cool. Now create a bucket on S3 for your NAS, e.g. blah2134accesskey.openfiler, using whatever method you choose (I typically use Cockpit). Now that you have a bucket, configure a really simple script to drop in cron:
#!/bin/bash
/opt/s3cmd/s3cmd sync /mnt/openfiler/data/profiles/bunny s3://blah2134accesskey.openfiler/mnt/openfiler/data/profiles/bunny
/opt/s3cmd/s3cmd sync /mnt/openfiler/data/profiles/kelvin-pc s3://blah2134accesskey.openfiler/mnt/openfiler/data/profiles/knicholson/kelvin-pc
Sweet! I like this approach quite a bit: I get file-level access to anything on the NAS, you don’t have to actually install anything, and it ‘just works.’
Using TimeVault with a shared drive as a backend is actually quite easy, but it does require a few special things setup. Note: this is gonna be a brief summary.
Install samba-tools, smbfs…
sudo apt-get install samba-tools smbfs
A lot more other stuff may install as well.
Create a script that mounts your samba share. You could also do this in fstab, but I tend to suspend my laptop when I come home, and I like clicking buttons.
#!/bin/bash
mount -t cifs //192.168.44.2/kelvin /mnt/backups -o netbiosname=KELVIN-PC,iocharset=utf8,credentials=/home/kelvin/Apps/.smb-details.txt
smb-details.txt includes:
username=DOMAIN\\kelvin
password=mypassword
Finally, create a folder called ’timevault’ or something inside your mapped share, then launch TimeVault and configure it to use the above mentioned /mnt/backups/timevault folder. Configure Timevault as normal.
I’m writing down these quick notes so I can remember the steps for getting py2exe to work with GTK.
setup.py:
from distutils.core import setup
import py2exe
setup(
name = 'ploteq',
description = 'Bunnys Plotting Tool',
version = '1.0',
windows = [
{
'script': 'ploteq.py',
}
],
options = {
'py2exe': {
'packages':'encodings',
'includes': 'cairo, pango, pangocairo, atk, gobject',
}
},
data_files=[
'ploteq.glade',
]
)
I’ve lived in several different parts of the world, and they all do internet differently. Back in the US I had 8Mb/sec cable (leaving just before Fios was really an option, darn!) In New Zealand, for instance, I was paying for “high speed ADSL” rated at 1.5Mb/256k. Vrooom. Up in Taiwan I was paying 1/2 what I paid in New Zealand, but for 12Mb/1Mb. Down to Sydney and we have a rated 24Mb/1Mb.
But there’s a catch with the plans in New Zealand and Australia: they are ‘capped’. This means you only get XGB/month – and it isn’t like Comcast capping at 250GB/month, I’m talking about 1GB/5GB/10GB and so forth. And there’s more – just like mobile phones, you get on-peak and off-peak times.
This all does make a bit of sense to me – there are only X amount of tubes going in and out of NZ and AU, and I would imagine they get pretty clogged.
Either way, last month was pretty painful. Two weeks into our plan I checked out usage: 14GB of 18GB! We had only 4GB left to use for 15 days. This sounds like a lot, but for the two of us, and my 10 virtual servers, it isn’t. The first thing I did was looking at a way to do WSUS with Linux – I ended up using apt-cacher (I’m using only Ubuntu at home). BitTorrent, out; downloading any new ISOs, out; streaming music, totally out. For a while I has to VPN to home, and then VPN to a client, as our router at work didn’t seem to like letting us access one of our clients. I even disconnected from the VPN if I wouldn’t be doing work for 20m!
We eventually made it, and used only 2GB in two weeks. What an accomplishment!
This is the laundry list of things I did while creating a mod_tile VMware appliance based on Ubuntu Server 8.04. I’ve kept descriptions limited but left all the commands in. Let’s start installing things…
Useful goodies for compiling source
sudo apt-get build-essential
More goodies for Mapnik + Friends
sudo apt-get install libboost-dev libboost-filesystem-dev libboost-filesystem1.34.1 libboost-iostreams-dev libboost-iostreams1.34.1 libboost-program-options-dev libboost-program-options1.34.1 libboost-python-dev libboost-python1.34.1 libboost-regex-dev libboost-regex1.34.1 libboost-serialization-dev libboost-serialization1.34.1 libboost-thread-dev libboost-thread1.34.1 libicu-dev libicu38 libstdc++5 libstdc++5-3.3-dev python2.5-dev
sudo aptitude install libfreetype6 libfreetype6-dev libjpeg62 libjpeg62-dev libltdl3 libltdl3-dev libpng12-0 libpng12-dev libtiff4 libtiff4-dev libtiffxx0c2 python-imaging python-imaging-dbg proj
sudo aptitude install libcairo2 libcairo2-dev python-cairo python-cairo-dev libcairomm-1.0-1 libcairomm-1.0-dev libglib2.0-0 libpixman-1-0 libpixman-1-dev libpthread-stubs0 libpthread-stubs0-dev ttf-dejavu ttf-dejavu-core ttf-dejavu-extra
sudo aptitude install libgdal-dev python2.5-gdal postgresql-8.3-postgis postgresql-8.3 postgresql-server-dev-8.3 postgresql-contrib-8.3
sudo aptitude install libxslt1.1 libxslt1-dev libxml2-dev libxml2 gdal-bin libgeos-dev libbz2-dev
sudo aptitude install apache2 apache2-threaded-dev apache2-mpm-prefork apache2-utils
sudo aptitude install subversion
This checks out the mapnik source:
svn co svn://svn.mapnik.org/trunk mapnik-src
Let’s build mapnik with several specific locations included.
cd mapnik-src
python scons/scons.py PYTHON=/usr/bin/python PGSQL_INCLUDES=/usr/include/postgresql PGSQL_LIBS=/usr/lib/postgresql BOOST_INCLUDES=/usr/include/boost BOOST_LIBS=/usr/lib
sudo python scons/scons.py install PYTHON=/usr/bin/python PGSQL_INCLUDES=/usr/include/postgresql PGSQL_LIBS=/usr/lib/postgresql BOOST_INCLUDES=/usr/include/boost BOOST_LIBS=/usr/lib
And prepare a few things for the mapnik rendering…
svn co http://svn.openstreetmap.org/applications/rendering/mapnik/
cd ~/mapnik
wget http://tile.openstreetmap.org/world_boundaries-spherical.tgz
tar -xpjf world_boundaries-spherical.tgz
unzip processed_p.zip
cp coastlines/* world_boundaries/
rmdir coastlines
Time to setup postgres. I have the intentions of running renderd (the mod_tile rendering engine) under whatever user Apache is running as, so I’ll setup postgres to allow the OSM user to authenticate via password. I’m not a postgres expert, so if you see me doing something totally foolish, let me know.
sudo vi /etc/postgresql/8.3/main/pg_hba.conf
And edit the authentication part as so:
# Database administrative login by UNIX sockets
local all postgres ident sameuser
local all osm password sameuser
And now to actually configure postgres for the OSM data
sudo su postgres
createuser osm
createdb -E UTF8 -O osm gis
createlang plpgsql gis
psql -d gis -f /usr/share/postgresql-8.3-postgis/lwpostgis.sql
echo "ALTER TABLE geometry_columns OWNER TO osm; ALTER TABLE spatial_ref_sys OWNER TO osm;" | psql -d gis
echo "alter user osm with password 'columbia';" | psql
sudo /etc/init.d/postgresql-8.3 restart
Now, let’s render a sample image. Edit set-mapnik-env by changing the DB to ‘gis’, the username to ‘osm’, and the password to ‘columbia’
cd mapnik
source ./set-mapnik-env
./customize-mapnik-map >osm.xml
./generate_image.py
If you get an error about it not finding a lib, make sure to do a…
sudo ldconfig
You should have an image called ‘image.png’ in the mapnik directory, and it should look distinctly like the UK.
svn co http://svn.openstreetmap.org/applications/utils/export/osm2pgsql
cd osm2pgsql
make
Ok, that was easy. Let’s load some data. I’ve used a sample snippit from Sydney in /home/osm to illustrate this.
./osm2pgsql -W -d gis ../sydney.osm
Type in the password used for postgres (‘columbia’)
I’ll now check that the data is accessible by editing generate_image.py with the correct coords for Sydney.
ll = (150.29, -34.04, 151.25, -33.36)
Time to get mod_tile up and running.
sudo apt-get install libagg-dev
svn co http://svn.openstreetmap.org/applications/utils/mod_tile
cd mod_tile
Depending on the revision of mod_tile you are using, you are going to have to edit the source before compiling. The two files you need to read through are the Makefile and render_config.h. I change the apxs and apachectl locations to the correct place (lines 2, 13 and 14). Since I did it on a x86 image, I took out any references to lib54 (line 33). In render_config.h, I made the following changes:
Line 8
#define WWW_ROOT "/var/www"
Line 23
#define OSM_XML "/home/osm/mapnik/osm.xml"
Removed references to lib64 on lines 26 and 29.
make && make install
Set it up as a module for apache by creating a file in /etc/apache/conf.d called ‘mod_tile’ and putting in there:
LoadModule tile_module /usr/lib/apache2/modules/mod_tile.so
Created a folder called ‘osm_tiles2’ and ‘direct’ in /var/www, and make sure they are writable by whatever apache runs as (likely www-data). Restart apache.
From here, I created a file that automatically zooms in on the map I just created – you can check it out here. Start the renderd process as www-data, and browse to the sample file.
cd ~/mod_tile
sudo su www-data
./renderd
By now you should have a working mod_tile/OSM setup. After a change and tune a few things on the Ubuntu image I’ll make the VMware image available for download. I can’t wait to do some OSM projects!