I’ve always used my blog as platform to share useful information with others, get feedback from comments that were posted and mails I’ve received. I’ve slowly built it up step by step from the 20th of March 2005 with a pretty rudimentary and early version of WordPress at that time. Due to my interest and work within the open-source area around Linux and the GNOME Desktop at that time, I had pretty much content I loved to share with other people interested in those topics.

By the time passing, the content of my blog also changed. I slowly moved away from Linux as an desktop operating system, towards using Mac OS X and its tools. Meanwhile, I took my own know-how about the Linux operating system on a higher level by starting to use it heavily as server-side operating system. My blog posts became from “Hey, check out this desktop notifications daemon I’ve written! There wasn’t anything like that on the GNOME desktop, now there is!” and “Oh look, this would be a great idea for a Sync-Application on the GNOME Desktop” to information sources for setting up a Linux instance on Amazon’s EC2 service, stripping down Ubuntu Servers to several hundreds Megabytes and setting up a Debian server that provides SSL-secured WebDAV with LDAP as authentication back-end. So instead of sharing useful information for Linux desktop users, I transited to share information about my experiences and creations on the Mac.

Through the years, my blog grew bigger and bigger, with more and more content. I was pretty happy with how it worked out, except of one part: The design. “devilx.net” never really had an unique identity shaped by its own design. I switched the look & feel several times, using freely available WordPress themes with smaller changes hacked by myself. For the pure sake of information sharing it worked out, but due to that my blog never really got its “own face”. I wanted to change this fact for like ever already, unfortunately I never really had the time and – what’s even more important – the muse for doing so. Now, after all those years – and especially after the last few months, in which the majority of returning visitors probably thought of my blog being another victim by the Twitter, Facebook and other Web 2.0 platforms’ distraction-hype – I decided to take the time, search for at least some creative inspiration and replace my yet-another-downloaded-WordPress-theme with something made with my own hands, giving my blog its own shape and style.

My abilities in the matter of creativity and design clearly aren’t the best, but I thought like… “Man, 2011 is coming, you just have to!”. So I turned on Pixelmator in full-screen mode and started drawing. I kinda had like dozens of concepts, drafts and even several PXM-to-XHTML implementations, but none really was something I’d like to have running on the internet, with my name on it. Meanwhile, I was testing Posterous, one of those Web 2.0-“we can streamline your blog with your Twitter account, your Facebook profile and the two-hundred-forty-nine other platforms you might be using”-services, which should have been the second update for today actually. I really liked it and I liked their theme-templating. I gave it a first shot, by exporting my WordPress’ database and importing it into Posterous.

The result unfortunately was… well… pure fail. It stopped at twenty-one out of several hundreds and didn’t advance for a couple of hours. After contacting the Posterous support, I got the advice to first clean up my WordPress’ spam-queue, re-export the database and try it again. So I did and finally the import ran through pretty quick. Curiously I checked out how the imported Posterous site looked, since I didn’t thought of for example comments being also imported. For my surprise, they were. Unfortunately, the import was incomplete. Some why three-fourth of my WordPress blog posts were missing. Again, I contacted the support which answered after two days, telling me that they’re on the problem and can’t provide me any help yet.

While I was waiting for a solution to my problem, I already translated one of my drafts into Posterous’ templating format – but soon I kind of realized, that Posterous isn’t pretty much what I needed. It works for many people and it surely is a very cool service, free of charge! But for me, as someone that’s pretty much into technology it’s just way too inflexible and closed. For example, I have found a way to import my WordPress’ data, but none to export the Posterous data. I guess, hacking through the API is probably the only way to do so. Also, Posterous’ content delivery isn’t performing really well, at least when requested from Germany. I built in some Base64-encoded images and a @font-face (because Posterous does not provide you any space for actually uploading pictures, which is why you would need to pay for some webspace or at least an Amazon S3 account anyway) and as soon as they were live, the page’s loading-speed decreased to a quite ugly value. Also I was unsatisfied with the template-editor/-previewer Posterous provides – it is really slow and for me (as web developer et al.) a pure pain to use.

Please don’t get me wrong – as I’ve said before, Posterous (as well as Tumblr and all those other services) really is something great, especially when you’re into writing quick shouts most of the time. But for me, as a person who likes the ability to extend the platform for sharing information to fit my (growing) needs, Posterous and others simply are too limited.

However, after realizing that I won’t give up my WordPress from one day to another (and by that actually had no second update to share with you today while I’m still sticking with the plural “updates” in this article’s first few lines), I’ve re-started concept-creation, drafting, mocking and all that stuff professional designers probably do the whole day. In the end, I came up with a pretty neat design that fits my taste pretty good and isn’t too exaggerated or improper to be used on a blog: It’s the design you’ve been staring at for the last, well, I would say fifteen minutes, if I haven’t already talked you into sleep.

“Okay, so your blog isn’t dead yet, huh?” – Yepp, that’s right (and that is the second update, hah!). I’m really looking forward to the next years of blogging, sharing and communicating with others. In the past several years digital life changed a lot and blogs became more and more irrelevant thanks to the possibility of fast and instant exchange with each other through Twitter for example. Unfortunately people sometimes tend to forget, that all those tweets would be nothing without the information behind them, that contains more than only 140 characters.

Having said this, I wish everyone a nice evening (CET UTC+1) and furthermore a great year in 2011. Have fun!

OTRS as a product is pretty cool and full of features, unfortunately from a technical aspect it’s pretty much of an unaesthetic “Perl hack” that’s, especially when you should try to integrate it into your existing environments and make it talk to your RADIUS or directly to your LDAP. Here, I would like to describe the basic configuration to get the latter working without any troubles.

Everything actually starts within the $OTRSHOME/Kernel/Config.pm. After you’ve set up your Apache to get you displayed the /otrs/index.pl and /otrs/customer.pl you’ll need to start hacking Perl in OTRS’ “config file”.
Let’s say, that we would want to authenticate against LDAP. And maybe not only for the agents (the people using index.pl) but also for the customers. So, let’s assume that we’re having a LDAP-tree containing our Base (“dc=something,dc=com”) and our “Users” OU (“ou=Users,dc=something,dc=com”). Also, we have a “Groups” OU (“ou=Groups,dc=something,dc=com”). I think that’s probably the most common built-up, regardless what names the OUs actually have.

Now, first of all, we need to know what user we could use to authenticate on our LDAP later and get the information we need. Here, I’m assuming it’s “cn=admin,dc=something,dc=com”. Let’s begin with the configuration for getting the agents authenticated:

    $Self->{'AuthModule'} = 'Kernel::System::Auth::LDAP';
    $Self->{'AuthModule::LDAP::Host'} = 'localhost';
    $Self->{'AuthModule::LDAP::BaseDN'} = 'dc=something,dc=com';
    $Self->{'AuthModule::LDAP::UID'} = 'uid';
    $Self->{'AuthModule::LDAP::GroupDN'} = 'cn=otrsagent,ou=Groups,dc=something,dc=com';
    $Self->{'AuthModule::LDAP::UserAttr'} = 'UID';
    $Self->{'AuthModule::LDAP::AccessAttr'} = 'memberUid';
    $Self->{'AuthModule::LDAP::Params'} = {
        port => 389,
        timeout => 120,
        async => 0,
        version => 3,
    };

The configuration should be pretty self-describing, though let’s sum it up: We’re connecting to the LDAP host “localhost” (since we probably tunnel the SSH port to the OTRS machine or have it running directly on that one – else you’d just need to specify another hostname/IP. BEWARE: When using an external LDAP with no tunnel you should use LDAPS!) and use our BaseDN. We define the user-id field being named “uid”, just like the user-attribute we’re going to look-up and we’ll be using the memberUid as access-attribute. Wait. memberUid? I lost you, right?

In this configuration, we’re also using a GroupDN that actually lets us “filter” which of our users might be allowed to use the OTRS as agents. For this, we’re accessing the group “otrsagent” within our “Groups”-OU and lookig up the memberUids.
At last but not least, the actual LDAP parameters like the port for example.

Now, you can test your login by browsing to your index.pl and enter the credentials of an LDAP-user being in your otrsagent-group. You should now be possible to authenticate. Nothing more. You won’t be able to login to your OTRS yet. Why? It’s simple: OTRS uses LDAP only for authentication but initially copies the user-data from LDAP into its own database backend. Therefor we need to set up the “AuthSyncModule”.

This module allows us to tell OTRS that we’d like to have our user data being synchronized with the LDAP database. Let’s take a look at the actual configuration:

    $Self->{'AuthSyncModule'} = 'Kernel::System::Auth::Sync::LDAP';
    $Self->{'AuthSyncModule::LDAP::Host'} = 'ldap://localhost/';
    $Self->{'AuthSyncModule::LDAP::BaseDN'} = 'dc=something, dc=com';
    $Self->{'AuthSyncModule::LDAP::UID'} = 'uid';
    $Self->{'AuthSyncModule::LDAP::UserAttr'} = 'UID';
    $Self->{'AuthSyncModule::LDAP::AccessAttr'} = 'memberUid';
    $Self->{'AuthSyncModule::LDAP::SearchUserDN'} = 'cn=admin,dc=something,dc=com';
    $Self->{'AuthSyncModule::LDAP::SearchUserPw'} = 'swordfish';

    $Self->{'AuthSyncModule::LDAP::UserSyncMap'} = {
        UserFirstname => 'givenName',
        UserLastname  => 'sn',
        UserEmail     => 'mail',
    };
    $Self->{'AuthSyncModule::LDAP::UserSyncInitialGroups'} = [
        'users',
    ];

Again, from top to bottom: We tell OTRS what LDAP host, what BaseDN, what UID/UserAttr/AccessAttr, what search user and what password to use. Then, we need to define what’s needed to be synchronized. Here, we only sync the most important data: First name, last name and e-mail. Note: Without the mail entry this won’t work!
After that, we define what OTRS-groups the user should initially be in.

Now you should be able to authenticate and login with your LDAP user.

Next, customer authentication.

The customer authentication needs to be configured separately and also starts with basic LDAP information:

    $Self->{'Customer::AuthModule'} = 'Kernel::System::CustomerAuth::LDAP';
    $Self->{'Customer::AuthModule::LDAP::Host'} = 'localhost';
    $Self->{'Customer::AuthModule::LDAP::BaseDN'} = 'dc=something,dc=com';
    $Self->{'Customer::AuthModule::LDAP::UID'} = 'uid';
    $Self->{'Customer::AuthModule::LDAP::GroupDN'} = 'cn=otrscustomer,ou=Groups,dc=something,dc=com';
    $Self->{'Customer::AuthModule::LDAP::UserAttr'} = 'UID';
    $Self->{'Customer::AuthModule::LDAP::AccessAttr'} = 'memberUid';
    $Self->{'Customer::AuthModule::LDAP::SearchUserDN'} = 'cn=admin,dc=something,dc=com';
    $Self->{'Customer::AuthModule::LDAP::SearchUserPw'} = 'swordfish';
    $Self->{'Customer::AuthModule::LDAP::Params'} = {
        port => 389,
        timeout => 120,
        async => 0,
        version => 3,
    };

I think I don’t need to comment this section once again. Next:

    $Self->{CustomerUser} = {
      Name => 'LDAP Datasource',
      Module => 'Kernel::System::CustomerUser::LDAP',
      Params => {
         Host => 'localhost',
         BaseDN => 'dc=something,dc=com',
         SSCOPE => 'sub',
         UserDN => 'cn=admin,dc=something,dc=com',
         UserPW => 'swordfish',
         Params => {
            port => 389,
            timeout => 120,
            async => 0,
            version => 3,
         },
      },
      CustomerKey => 'uid',
      CustomerID => 'mail',
      CustomerUserListFields => ['sn', 'cn', 'mail'],
      CustomerUserSearchFields => ['uid', 'cn', 'sn', 'mail'],
CustomerUserSearchPrefix => '',
       CustomerUserSearchSuffix => '*',
       CustomerUserSearchListLimit => 250,
       CustomerUserPostMasterSearchFields => ['mail'],
       CustomerUserNameFields => ['givenname', 'sn'],
       CustomerUserExcludePrimaryCustomerID => 0,
       AdminSetPreferences => 0,
       Map => [
           [ 'UserSalutation', 'Title',      'title',           1, 0, 'var', '', 0 ],
           [ 'UserFirstname',  'Firstname',  'cn',              1, 1, 'var', '', 0 ],
           [ 'UserLastname',   'Lastname',   'sn',              1, 1, 'var', '', 0 ],
           [ 'UserLogin',      'Username',   'uid',             1, 1, 'var', '', 0 ],
           [ 'UserEmail',      'Email',      'mail',            1, 1, 'var', '', 0 ],
           [ 'UserCustomerID', 'CustomerID', 'mail',            0, 1, 'var', '', 0 ],
           [ 'UserPhone',      'Phone',      'telephonenumber', 1, 0, 'var', '', 0 ],
           [ 'UserAddress',    'Address',    'postaladdress',   1, 0, 'var', '', 0 ],
           [ 'UserComment',    'Comment',    'description',     1, 0, 'var', '', 0 ],
       ],
    };

This is theoretically the same we’ve also set up for the agents and will let OTRS synchronize the customer data into its own database. I think the whole mapping should be pretty clear when read carefully, so I’m not going to explain every setting in detail.

However, after you’ve hacked together your basic configuration in this kinda way, also the customer.pl authentication should be working against your LDAP.

There’s one more thing that’s left to be mentioned. When you authenticate your agents against the LDAP, OTRS will try to authenticate root@localhost against it – what probably won’t work anymore then. Of course, you won’t need to go without an administrative user now. Simply pick one of your LDAP users, add him to the otrsagent group, log in to the web-interface and then adding an entry into the group_user table of OTRS’ database, containing the user_id of your LDAP user (get it from the “users” table) and the group_id “1″, with the permission_key “rw” and the permission_value “1″. After that, the user should have administrative rights.

And the next time, I’ll show you how to build an automatic back-scratcher using a wall, some glue and a cat. Enjoy!

First of all, we defined our scenario. Let’s assume that we’d like to have a cluster of two servers, both running the latest CentOS (5.4), both up-to-date, both using the very same partitioning and both using DRBD and GFS(2). On most SuSE or Debian systems, the installation would be pretty straight-forward: You install the base system, set up the DRBD, format it with some OCFS and make Heartbeat monitor everything. So far so good. On RHEL/CentOS it seems to work a bit different, due to the different tools they’re using. When installing the installation-group “Cluster Storage” for example, yum fetches packages named openais and cman – tools you’ve probably never heard of, when you come form the Debian corner (as I do). But before I describe those in detail, let’s just configure our plain base-installation.

What do we need to do first? What’s one of the most important things on two systems that should run “symmetrically” and have the very same data available, with every change that’s being made every second? Exactly, the time would be one of those things. We need to assure that both systems use the very same time. Mostly, you’ll be using some x86_64 hardware for such setups, where the problems start: On 64-bit hardware, the timekeeping with TSC doesn’t run that perfect, which is why we should just deactivate it and leave HPET do its job alone. After installing ntpd we need to open our grub.conf and add the notsc option to our kernels. It should looks something like this:

===================================================================
RCS file: /etc/grub.conf,v
retrieving revision 1.1
diff -u -r1.1 /etc/grub.conf
— /etc/grub.conf 2009/11/13 13:30:26 1.1
+++ /etc/grub.conf 2009/11/13 13:32:26
@@ -13,9 +13,9 @@
hiddenmenu
title CentOS (2.6.18-164.6.1.el5)
root (hd0,0)
- kernel /vmlinuz-2.6.18-164.6.1.el5 ro root=LABEL=/
+ kernel /vmlinuz-2.6.18-164.6.1.el5 ro root=LABEL=/ notsc
initrd /initrd-2.6.18-164.6.1.el5.img
title CentOS (2.6.18-164.el5)
root (hd0,0)
- kernel /vmlinuz-2.6.18-164.el5 ro root=LABEL=/
+ kernel /vmlinuz-2.6.18-164.el5 ro root=LABEL=/ notsc
initrd /initrd-2.6.18-164.el5.img

Now, we can shutdown the ntpd and set its drift-file to 0.000. After that, simply reboot and check the dmesg for the HPET-lines and of course also check the time on both systems to be identically.

Now, what else should we configure until we start building our actual cluster? Probably, we should take a look into the system-config-securitylevel-tui tool. Depending on what environment you plan your cluster to run in, you either want to open each port by port manually in the firewall and configure your SELinux to allow CMAN/OpenAIS and DRBD to work properly – or you simply turn of those “toys” and configure the network-segment to be secure by itself. It depends to you and I’m not going to write how to reconfigure the firewall or your SELinux-environment. For my tests, I simply turned both off. Especially the combination of CMAN/OpenAIS and SELinux can become pretty tricky, when SELinux runs in any other mode than “Disabled”.

Now, let’s finally please our inner kid and install some software:

# yum groupinstall “Cluster Storage”
…
# yum install drbd83 kmod-drbd83
…

I’ve chosen to use drbd83 since it’s the next stable release and already obsoletes drbd82 in CentOS 5.4 – and drbd is simply just too old. Of course, upgrades might become tricky when using explicitly versioned packages, but on DRBD it’s always a bit tricky, since there could be configuration changes which would have to be implemented manually on future versions.

However, now let’s create the infamous and poorly documented /etc/cluster/cluster.conf. For testing, we could simply use something like this:

<?xml version=”1.0″?>
<cluster alias=”cluster-setup” config_version=”1″ name=”cluster-setup”>
<rm log_level=”4″/>
<fence_daemon clean_start=”1″ post_fail_delay=”0″ post_join_delay=”3″/>
<clusternodes>
<clusternode name=”server-1.cross” nodeid=”1″ votes=”1″>
<fence>
<method name=”2″>
<device name=”LastResortNode01″/>
</method>
</fence>
</clusternode>
<clusternode name=”server-2.cross” nodeid=”2″ votes=”1″>
<fence>
<method name=”2″>
<device name=”LastResortNode02″/>
</method>
</fence>
</clusternode>
</clusternodes>
<cman expected_votes=”1″ two_node=”1″/>
<fencedevices>
<fencedevice agent=”fence_manual” name=”LastResortNode01″ nodename=”server-1.cross”/>
<fencedevice agent=”fence_manual” name=”LastResortNode02″ nodename=”server-2.cross”/>
</fencedevices>
<rm/>
<totem consensus=”4800″ join=”60″ token=”10000″ token_retransmits_before_loss_const=”20″/>
</cluster>

Configuring OpenAIS this way isn’t actually the best way… it’s not even “good”. But for testing (and understanding how stuff works) it should be enough. Those rules expect manual intervention when one of the two server should become unavailable and needs to be brought back into the cluster.

The domain “.cross” is expected to be a hostname.domainname entry within the /etc/hosts of each server and defines the direct cross-cable-connection from one server to another. We need this connection to shrink down network latency and provide a way for OpenAIS and (in this example) also DRBD to directly communicate with each other. A better setup would be to set the heartbeat on top of a serial-line, since it would be most fault-tolerant.

Okay, next. What’s left? Exactly, the actual DRBD – so let’s set it up:

global { usage-count yes; }
common { syncer { rate 100M; } }
resource the-disk {
protocol C;
startup {
wfc-timeout 20;
degr-wfc-timeout 10;
# become-primary-on both; # Uncomment this only after tested!
}
net {
cram-hmac-alg sha1;
shared-secret “i4m501337″;
allow-two-primaries;
}
on server-1 {
device /dev/drbd1;
disk /dev/sdb;
address 10.100.0.1:7789;
meta-disk internal;
}
on server-2 {
device /dev/drbd1;
disk /dev/sdb;
address 10.100.0.2:7789;
meta-disk internal;
}
disk {
fencing resource-and-stonith;
}
handlers {
#outdate-peer “/sbin/handler”;
}
}

This configuration defines our two servers and tells DRBD to use /dev/sdb on both for the actual data. Our meta-disk will be internal and with address we defined – guess what? – the IP addresses of our two servers. Those are the .cross-domain addresses!

Next, we initialize our meta-disks (on both nodes), set our generation identifier, start the actual DRBD service and check the roles it currently runs in:

# drbdadm create-md the-disk
…
# drbdadm — 6::::1 set-gi the-disk
…
# service drbd start
…
# drbdadm role all
Secondary/Secondary

If all those steps succeed, we can try to promote both nodes to primary:

# drbdadm primary all
# drbdadm role all
Primary/Primary

And if this now worked out properly, we can enable the automatic promotion from within our drbd.conf:

# rcsdiff -u /etc/drbd.conf
===================================================================
RCS file: /etc/drbd.conf,v
retrieving revision 1.2
diff -u -r1.2 /etc/drbd.conf
— /etc/drbd.conf 2009/11/13 10:34:23 1.2
+++ /etc/drbd.conf 2009/11/13 15:16:26
@@ -9,7 +9,7 @@
startup {
wfc-timeout 20;
degr-wfc-timeout 10;
- # become-primary-on both; # Uncomment this only after tested!
+ become-primary-on both; # Uncomment this only after tested!
}
net {
cram-hmac-alg sha1;

Great. So we’re set up now? Nope. We’re not. Next, we need to change DRBDs boot order in order for it to work properly with the GFS auto-mounting on boot:

# rcsdiff -u /etc/init.d/drbd
===================================================================
RCS file: /etc/init.d/drbd,v
retrieving revision 1.1
diff -u -r1.1 /etc/init.d/drbd
— /etc/init.d/drbd 2009/11/13 10:57:15 1.1
+++ /etc/init.d/drbd 2009/11/13 10:58:15
@@ -1,6 +1,6 @@
#!/bin/bash
#
-# chkconfig: 345 70 08
+# chkconfig: 345 22 75
# description: Loads and unloads the drbd module
#
# Copright 2001-2008 LINBIT Information Technologies

And let it run on boot:

# chkconfig –level 345 drbd on

Great! So, now we are set up, right? Nope, wrong. We have a running DRBD setup now, but we still lack of a cluster-able file-system. GFS2 is a pretty good choice for such a task, so let’s try to format the DRBD-device on one of our nodes with it:

# mkfs.gfs2 -p lock_dlm -t cluster-setup:mycluster /dev/drbd1 -j 2

Before we can try to mount the device, we need to have OpenAIS/CMAN running, in order to manage our GFS consistency. Let’s start the cman service therefor (on both nodes!):

# service cman start

Starting cman and starting fenced could take several seconds, be patient. If you installed both servers identically and followed this documentation step by step everything should work out just fine.

At last, we can now mount our DRBD device into some folder (on both nodes) and start playing around with our fresh setup:

# mount -t gfs2 /dev/drbd1 /mnt/somefolder

I hope everything worked out for you and I also hoped that this brief summary helped you getting a bit easier into the actual setup of such a cluster setup. Feel free to ask any questions or provide feedback in any form.

Enjoy!

export EZMWLUCENE_HOME=/opt/lucene/server
/usr/lib/jvm/java-6-sun-1.6.0.12/jre/bin/java -Dezmwlucene.home=$EZMWLUCENE_HOME -Djava.io.tmpdir=$TMP -cp $EZMWLUCENE_HOME/ezmwlucene.jar:$EZMWLUCENE_HOME/lib/jetty-6.1.14.jar:$EZMWLUCENE_HOME/lib/jetty-util-6.1.14.jar:$EZMWLUCENE_HOME/lib/servlet-api-2.5-6.1.14.jar:$EZMWLUCENE_HOME/lib/commons-codec-1.3.jar:$EZMWLUCENE_HOME/lib/commons-httpclient-3.1.jar:$EZMWLUCENE_HOME/lib/commons-logging.jar:$EZMWLUCENE_HOME/lib/FontBox-0.1.0-dev.jar:$EZMWLUCENE_HOME/lib/lucene-core-2.4.0.jar:$EZMWLUCENE_HOME/lib/lucene-highlighter-2.4.0.jar:$EZMWLUCENE_HOME/lib/PDFBox-0.7.3.jar:$EZMWLUCENE_HOME/lib/poi-3.5-beta3-20080926.jar:$EZMWLUCENE_HOME/lib/poi-scratchpad-3.5-beta3-20080926.jar net.sourceforge.ezmwlucene.service.EzMwLuceneService

Those two lines can be packed-up within a shell-script, which then gets ran by a proper /etc/init.d-script. For me, it now just works perfectly.

Enjoy!

The first thing needed is a client computer running any kind of the supported OSs by the Amazon API tools and of course the tools themselves. After you’ve installed those and configured all credentials the right way, we can create a new pair of SSH keys for our new project. Due to the location I’m currently in, I’ve chosen to use Amazon Instances in the western EU. Execute the following line on your command-line:

ec2-add-keypair –region eu-west-1 test-keypair

The result should look something like this:

[Deprecated] Xalan: org.apache.xml.res.XMLErrorResources_en_US
KEYPAIR test-keypair e1:1a:d1:a1:a1:1c:10:a1:b1:d1:cb:11:11:1a:11:11:f1:11:ae:fe
—–BEGIN RSA PRIVATE KEY—–
XXX
—–END RSA PRIVATE KEY—–

You can now copy the lines from BEGIN… until END… (including those two) into a file which you’ll be using as SSH-key for connecting to your instance. Don’t forget to chmod 600 it!

Next, let’s see what base-images for creating our instance we could you – first, provided by Amazon themselves:

ec2-describe-images –region eu-west-1 -o ‘amazon’

The list is contained of several different OSs and versions, although in our current project we can’t make use of any of those. Therefor, we’re now searching for a perfectly fitting, really good operating system:

ec2-describe-images –region eu-west-1 -a | grep -i debian

And yet, we receive another list with several different versions of the Debian Linux distribution. After we’ve picked the one we’d like to run, we should check what instances are currently up and running:

ec2-describe-instances –region eu-west-1

If you’re using Amazon’s EC2 for the first time, there shouldn’t be any items listed. We can now start our very first instance, by copying the instance’s identifier (in the second column, a string starting with ami-) and pasting it into our command:

ec2-run-instances –region eu-west-1 -k test-keypair -g ‘http/s’ -g ‘ssh’ ami-b8446fcc

In this command, we tell Amazon to start up a new instance that’s built on top of the ami-b8446fcc-image, using the key-pair we just created before and using some custom built firewall-rules named “http/s” (which allows us to connect to port 80 and 443) and “ssh” (port 22).

We need to wait a few seconds, until the instance comes up. We can use the describe-instances command from above to check the instance’s status:

ec2-describe-instances –region eu-west-1

As soon as it’s up and running, the “pending” column should have been replaced by a dynamically allocated hostname and the status “running”. Keep in mind, that this hostname/ip is dynamically allocated! If you want a fixed IP, you need to allocate and assign an Elastic IP – I’ll show you later how to do so.
If our firewall rules worked out, we can now connect using SSH:

ssh -i ~/Library/EC2/id_rsa-test-keypair root@ec2-11-111-11-111.eu-west-1.compute.amazonaws.com

By default, Amazon sets up a Small Instance, that provides around 10 GB of hard drive, an Dual-Core AMD Opteron 2218 with 2600 MHz and around 1.7 GB of RAM. Small instances, in comparison to the bigger ones, also still provide a real swap-partition which is limited to 895 MB. Here, you could run into problems when installing some Oracle for example, since the DB would like to have 1 GB or more Swap-space. If 895 MB should not be enough, the only way to enlarge it seems to be to use a file within your file-system for that. Either, by placing it somewhere into / or by using /mnt for that. /mnt is a special mount in Amazon instances which provides you 147 GB of additional volatile storage. Amazon doesn’t guarantee in any way the storage to be stable/solid or even backed up – and usually /mnt is only used for bundling your instance. You might now think “so, where could I place my data, if / is only providing me 10 GB of space and /mnt should not be used for storing sensitive data?” – well, there’s a third possibility named Elastic Block Storage. An EBS is being displayed to your instance as regular block-device (/dev/sdb, …) that’s format- and mountable. There, sensitive data could be stored, by bind-mounting the directories you’d like to have your data in. I’m not going to explain how this works, else I’ll never finish writing this brief documentation.

However, since we’re connected to the instance now, we can set it up the way we want it, with whatever software we need on it. I’ve assumed, that most people would set it up as regular LAMP-instance, therefor I’ve also added the firewall-rule for HTTP/HTTPS. After we finished installing the software we need, there’s one more package that should be plugged into the system: The Amazon AMI Tools. Simply wget them from http://s3.amazonaws.com/ec2-downloads/ec2-ami-tools.zip and unzip the package. Those tools make use of Ruby, so ensure having it installed on your instance. Also, you need to have the private key (pk-.pem) and the certificate (cert-.pem) you created the instance with somewhere within your instance’s filesystem, for later use.

Before we bundle up our system now, let’s come back to the topic we had before: The hostname/IP. Amazon allocates some dynamic address, unless you tell them to give you a fixed (called Elastic) IP. You can do that by simply executing:

ec2-allocate-address –region eu-west-1

… within your client’s command-line (where the Amazon API Tools have been installed – not on the instance!). As result you’ll get some IP address that has now being allocated by Amazon for you. The IP isn’t bound to any instance yet – it’s just allocated for you to be able to use it. ATTENTION: You pay for Elastic IPs as long as you do not assign them to an instance. Yes, that’s right. Amazon charges you for every allocated but unused IP hourly. By that, they want to prevent people “collecting” addresses, I guess. To assign the address you just received to your instance, simply run:

ec2-associate-address –region eu-west-1 -i i-11e11b1e 79.125.11.11

The i- is your actual instance’s ID, where the last, dot-separated number is the IP you’ve received. And yes, those are fake numbers – so don’t even try.

Now it could take a bit for Amazon to reconfigure the instance, but as soon as it finished, you should be able to re-connect to the instance using the IP you just assigned to it.

As last task for today, let’s bundle up the image the way we have it now. Bundling an image allows you more than just eating up your credit card’s limit by dumping your S3 buckets. On the one hand, with bundles you can recover machines that crashed or lost data within a few blinks and on the other, you can created new instances out of a bundle (talking about “scalability”).

For bundling, we use the AMI tools we installed. First of all, let’s create a directory for the bundle:

mkdir /mnt/myimage

After that, run the bundle-vol-tool:

ec2-bundle-vol -k pk-.pem -c cert-.pem -s -u -d /mnt/myimage/

This command takes several parameters for the private key, the certificate, the size of the resulting bundle in MB and your User-ID (without dashes). The User-ID can be found within your Account Information on Amazon’s EC2 site. The command should ask you, what architecture you’d like to bundle the system for – i386 should work out perfectly for what we’re doing. The following procedure could take some time, since the tool collections every peace of the system and builds a bundle into the directory we specified. As soon as the tool finished, we can upload our bundle to our S3-bucket:

ec2-upload-bundle –location EU -b -m /mnt/myimage/image.manifest.xml -a -s

Again, we need to specify some credentials (our access-key and the secret-key) for the upload to work. Also, we need to pick a globally unique bucket-name for uploading the bundle, what shouldn’t be that hard as long as you don’t try stuff like “linux” or other common words. The bundle will then be uploaded to your (private) bucket, so you have it for later use.

From within the web-interface you could now simply create new instances out of the uploaded bundle, without even knowing how the actual system was set up or having the Amazon API tools installed on your client.

Cool stuff, enjoy!

As I’ve written, moving the application-folders into the cloud seems to be working pretty good on one client. Now I’ve tested, how it is when using two clients and pulled the information contained in the cloud (from client A) down to client B. Each of the three applications worked in general, Pidgin started with the account configured on client A, Evolution started with the Inbox configure in client A but asked me for the password to access the mail-server (what’s clear, because I did not synchronize the key-rings) and Firefox displayed with the preferences configured, but prepended a message box that said:

Could not initialize the application’s security component. The most likely cause is problems with files in your application’s profile directory. Please check that this directory has no read/write restrictions and your hard disk is not full or close to full. It is recommended that you exit the application and fix the problem. If you continue to use this session, you might see incorrect application behaviour when accessing security features.

This confused me a bit, especially since the actual browser ran without any more problems. However, I’ve been to lazy to track down this permission problem.

After I’ve checked, if “one-after-another” synchronization worked, I tried out the simultaneous usage of both machines, while being connected and synced with the cloud on each of them. As I’ve expected, I ran into some problems: Suddenly, some more folder (thumbnail) appeared within the client B’s Ubuntu One folder, that contained his app-information. The folders remained until the actual Home folder finished receiving the data from within the cloud, then they just disappeared. I don’t know, if those have been merged or just deleted – it just worked afterwards.

Ubuntu One seems to be using “semaphores”, in a similar way token-ring was using: At first, client A is allowed to sync his data with the cloud. When this is finished, client B is allowed to sync. Then, it’s client A’s turn again – and so on. Theoretically, this is good. But in practice, Ubuntu One unfortunately seems to overwrite locale changes when pulling data down from the cloud. In comparison: MobileMe asks the user and merges the data, as good as possible.

In the end, simultaneous usage was unable to sync both machines in a way, so that data was kept consistent. Either one machine lost information, or the other. Especially when adding a new Pidgin account on client B, waiting for the sync, closing Pidgin on client A (which then seems to save a final account-info) and waiting for the sync there, you will be surprised your account not to be available when re-launching Pidgin on client A.

Of course, synchronization always is a tricky feature, but I guess, Ubuntu One lacks of an SVN-like back-end, that keeps track of all changes and makes merging possible. I’m really interested in how Ubuntu One will continue to evolve and I’ll try to keep tack of its development status. This could really kick ass someday, as soon as everything works seamless and simultaneous.

For my tests, I was using a vanilla Ubuntu 9.04 with latest package versions/updates installed. The installation of the PPA was pretty simple, thanks to the DEB provided on the Ubuntu One site, although I could not install the Ubuntu One GNOME-Client using the one-click feature implemented on the official Install-site. This probably could be the first thing a regular user could trap on.

So, after installing the packages manually by using a terminal and aptitude, the client appeared in Ubuntu’s “Internet”-submenu of the panel-main-menu. When a user installs Ubuntu One on a new computer and clicks the client’s icon within the menu to start the service, he will get a browser-window containing an Ubuntu One authorization-page. There, the user needs to click the “Authorize this Computer” button, so the computer will be able to sync with the Ubuntu One cloud. I took a quick look behind the scenes and as far as I’ve seen, Ubuntu One uses regular OAuth to authenticate computers to the cloud. The OAuth-token therefor will be saved within the “Passwords & Keys” thingy, that’s found somewhere in the main-menu.

However, the sync service itself creates a “Ubuntu One” folder within your home-directory, which syncs up into the cloud. Within this folder, there’s also a sym-linked-folder for Public content. The client-daemon doesn’t seem to be using some mechanism like iNotify to sync the folder contents up to the cloud, or if it does, it’s simply broken. At least on my test-machine, the client synchronized periodically – and by periodically I mean cycles with noticeable pauses in between. On one way that’s good, because not every tiny-whiny change that will be made to the folder’s contents will be pushed up to the cloud, what would literally kill your bandwidth, but on the other hand, the actual duration from one sync to another is just too big to be used with multiple devices simultaneously (e.g. an Android implementation or even another client-computer).

Talking about the simultaneousness, I don’t think that Ubuntu One is (yet) planned to be used on multiple computers simultaneous. On my test-setup I’ve created a sub-folder named “Home”, where I moved some dot-starting-folders from within my actual $HOME to and soft-linked them back to their actual location. My setup then looked something like:


devilx@vm-ubuntu:~$ ls -la | grep ^lrw*
lrwxrwxrwx 1 devilx devilx 38 2009-09-12 20:32 .evolution -> /home/devilx/Ubuntu One/Home/evolution
lrwxrwxrwx 1 devilx devilx 36 2009-09-12 20:31 .mozilla -> /home/devilx/Ubuntu One/Home/mozilla
lrwxrwxrwx 1 devilx devilx 35 2009-09-12 20:33 .purple -> /home/devilx/Ubuntu One/Home/purple
devilx@vm-ubuntu:~$


By this, I’ve pushed the preferences and information of my Firefox, my Evolution and my Pidgin into the cloud. A quick test showed me, that none of those three applications complained about their new “home” being a symlink to some directory within the cloud – and neither about any insufficient permissions that could have happened, if the cloud was set-up crappy (+1P for Ubuntu One). Still, this setup seems not that perfect for me, at the moment.

The synchronization of a modified .mozilla and especially of a modified .evolution folder seems to take for years. While I’m writing this text, the client-daemon is still synchronizing the files (it started nearly at the same time I’ve started writing this entry) and says “Updating 6 of 270 files…” – this could become a looooong night. Though, I don’t want to complain about Ubuntu One’s performance, since yet, it’s still in Beta (even if I don’t know, if Beta isn’t just an upcoming trend every company has to stick with -> e.g. Google).

I’ll try to clone this Ubuntu-installation and run them both with Ubuntu One being active – first, one after another (to see, if the applications could be synced without them complaining about parameters, that are incorrect for the secondary host they get synced to -> e.g. hostname information) and then I’ll try to run them simultaneously and hope for the best. If it should work out (what I don’t expect, just from what I’ve seen in similar projects), it would be really cool, because then, most applications could be synced this way without much hassle. I’d be really surprised, if this should be working, because then, the cloud seems to implement some kind of “merge” service, which allows you to upload data from two (or more) clients and seamlessly merge it up in the cloud together to one, consistent state.

Eh, I will see. Altogether, Ubuntu One is yet already working pretty cool, though I’m not quite sure, what a regular user should do with it, if he’s already aware of service like Dropbox or Amazon’s S3 – because at the moment, Ubuntu One unfortunately isn’t any better than those services. It just integrates more seamless into the GNOME-desktop. Hm… oh well.

The last time I check out the project, there was no such daemon for Unix(-like) platforms but Mac OS X itself. I decided to take a quick look at the independend istatd Project on Google Code and give it a shot. I fetched the sources, built them on a Debian Lenny and ran the daemon with a slighly modified configuration – and it worked!

I found it pretty cool. Actually, I found it so cool that it was the reason for me to buy the actual iPhone App. I have no Mac OS X Servers I’d like to monitor, but I could think of plenty of Linux machines which I’d like to keep an eye on – not as an replacement for Nagios, just as a solution for quick-live-monitoring.

However, I decided to build a Debian package, to make it easier to deploy the istatd on a couple of machines. I attached the Debian package to this post, so you can just download and install it on your Lenny machines. Warning: It’s not a clean and tidy built, lintian conform packge! I just hacked it together to have something that “just works”. And that’s what it actually should. Besides, be warned that the daemon takes quite long to shut-down, due to the fact that I’ve just used the regular /etc/init.d/skeleton to create an own /etc/init.d/istatd script, without going into deep workflow-checks. Here, the script takes something around half a minute to kill the istatd.

Anyway, now I’m going to take a look at the sources and see, if I could probably commit some enhancements to the projects. The last time I was doing C++ is *quite* a time ago, but it shouldn’t be too hard from what I’ve seen so far. On the project’s site it says that there’s no support for fans and temperature measuring, yet. I will check whether it’s possible to use lmsensors for getting those information and maybe hack it in – or even rewrite the daemon in C, what would be the best to do anyway.

Oh well, however. Enjoy the package.

Download: istatd_0.5.4-1_i386.deb

I’ve never actually been a fan of jail-breaking the iPhone nor the iPod, since it’s totally controversial. Most people who jail-break their devices think “Why should I just use 10% of what I could really use on that device?!“, though they don’t think twice: Why did they buy an Apple product like the iPhone or the iPod Touch? There are three kind of people who buy these things: The first type are the “cool” people. They like to pay the “Cool Tax” just to be cool themselves and impress other people. “Look how cool my new iPhone is!!!111“. Such people might jail-break, just because they’d like to be able to say “Oh well, sure, you got an iPhone, too, but look what mine has, that yours doesn’t!!!111“.

The second kind of people, jail-break their iDevices because they can. That’s it. Nothing more. These people are usually some people with more interest into technology, which just have fun doing such things. “Look, my iPhone runs an SSH session! And look, on my Xbox I have a media-center that looks just like Apple TV but has way more features. For free! And oh, my PSP runs Linux!!“. Those people in general do stuff like this because they enjoy it and don’t really much care of the device’s functionality. They don’t care if they won’t be able to play any games on their PSP anymore, they don’t care if they lose their rest-warranty on their Xbox and they don’t care if they won’t be able to read any e-mails on their iPhones anymore. They just don’t care, if it works properly (without hacking) or not.

What brings me to the third kind of people. Those buy products like the ones from Apple mainly because of one important reason: It simply works! You turn it on, you do what you need to do and then you turn it off. No hacking, no installing, no complex configuration, nothing. It just works.

However, the knowledge regarding IT/computers/devices of those people vary from none to I-could-write-my-own-OS. Those, who really know what they’re doing won’t jail-break their devices or if they will, they’re being kind-number-two. Those who don’t really know but hear from all kind of people (kind-number-one mostly) what cool things would be possible if they’d jail-break their devices, will also jail-break their devices one way or the other. And here the controversiality begins.

Why would someone want to spend the amount of $X on a device that’s totally managed, works exactly as it should and gives you only a number features, which therefor really work and then take highly experimental and nearly unsupported software, put it on exactly this device and try to do things with it that were never be planned to be done with that device.

Those people then realize, how crappy everything started to be, though their devices has an enhanced set of features now. They’re going to be yelling about everything that goes wrong and isn’t working out in a way you’d expect it from an Apple product – but they forget, that it’s not an Apple product anymore. At least not the software. Not all of it.

However, the same thing happens to people of kind-number-one, though the difference is, that those would never complain about their crappy set of new features in public.

Anyway, so as I said, I’m just restoring from the jail-break to Apple’s original. Not that I’m complaining or just tried to be “cool” – I was really interested on two things: First, if I manage it to jail-break it through a Windows XP VM and second, how the jail-breaking stuff evolved till now. I was really curious about the software available for the hacked firmware and the things you could do with it.

Unfortunately it’s still exactly as I thought: It’s nice to play around with, but it’s nothing for a productive, everyday use. The software is too unstable, too untested and totally hacked-together. The programmers didn’t follow any design- or usability-guidelines and in general everything looks too unstable. Don’t get me wrong: I’m not saying that the people who’ve realized this did crap! I admire any hacker who’s contributing to this project. But that’s the exact point of it: Those are usually hackers/developers/freaks who don’t really care about usability-guidelines or stuff like that. Just like those people that were developing UIs for Linux once (and still are).

However, besides this, I didn’t really benefit of the jail-break. I used a cool theme, though my whole iPod got awfully slow because of that. As it seems, the original theme won’t be replaced by a new one, but instead it will be just “overlaid”. At least this was my impression when opening the Preferences, seeing the iPod’s standard theme, waiting some seconds for the iPod to become responsive again and then seeing the modified theme. And this of course also impacted on my battery life: By just listening to music I usually got 3 days of battery-life – and I listen a lot to music! With the jail-break installed, after one day I usually only had twenty-five percent of the battery-life left.

Eh, well. I played a bit around, I’ve seen the jail-break myself and I’ve also seen that it’s far from being called “oh this could really make me use it!“, at least by me. Oh, I guess my recovery has finished….

WebKit Development Tools

In the past few weeks, I was involved into heavy JavaScript web-development at work and had to work with tools that allow me to debug dynamic web-content in an effortless way. Most people would now say “Use Firefox with FireBug addition!” and I would even agree with them, if I would be using some Windows operating-system instead of my lovely Mac. Everyone who has ever used Firefox on a Linux or a Mac OS X will know, that it’s a pain in the arse. Due to the way Mozilla-developers have taken to make Firefox available on multiple platforms, it lacks of any speed and integration within most implementations.

So what to do on a Mac, where Firefox trying to render a full-blown AJAX-site needs more space and CPU-power than a VMware or Parallels instance of Windows XP, running the IE? Most people don’t really know, that the Mac’s integrated browser already provides a very good toolset for web-development which just got even better with the version 4 (yet, still Beta) of Safari.

The toolset is hidden, on a regular OS X, but it can be unlocked pretty easy. The only thing you gotta do, is quit your Safari, open a Terminal and enter this command:

defaults write com.apple.Safari WebKitDeveloperExtras -bool true


It should quit without any output. After that, you can quit the Terminal and re-start Safari. You might not see any difference to Safari’s appearance before spawning the command, but now just try to do a right-click / command-click within a web-site. You will see, that your popup-menu has just been extended by one new item at its bottom, called “Inspect Element“. By clicking this entrie, Safari either opens a new window or separates your current one with an additional view, depending on what Safari version you’re using. This command works on 3 and 4.

Within that window, you will see a lot of useful information about the page. You can see time and size measurements, script-warnings and -errors and many many more. This extensions to Safari’s WebKit provides you nearly everything you might know from FireFox Add-Ons like FireBug. And besides of that, it allows you to profile your page in a sleek and easy, graphical way.

I’m now working quite some time with those tools, exactly because of all the problems I had with Firefox on my Mac, and I must say that I love them. I love the integration and the way it allows me to debug my sites. The only thing I liked more in FireBug was the precision of its GET/POST/PUT/…-output, but most of the time I don’t need that anyway.

Enjoy!

The current service-site describes the services mainly as synchronization option for your Ubuntu workstations, so that everything is kept up to date. My first thought on this was, that they’re using webdav (just like Apple does for their iDisk) for accomplishing this task, but as it seems, there’s no webdav involved. Maybe it’s built-up on Amazon’s S3?

I don’t know yet, since up to now I haven’t received my invitation to join and use this service. I was told that invitations are being sent amongst others depending on the service’s usage, so I really hope (since the ubuntuone.com isn’t that popular, yet) to receive mine soon.

Depending of how good this service works already, it could be a really good competitor to Apple’s MobileMe – especially if it should get an own “Exchange for the Rest of Us”, heh. I don’t know what’s planned to be implemented and as it seems there’s not much talking about that, but I’d really welcome it to see a working solution on that area.

As soon as I’ll receive the invitation, I will take Ubuntu One on a test-drive and try to see whether it would be possible to use this service on other distributions as well. I really can’t wait to get my hands on the service’s software, heh…

However, so I thought, that either there just haven’t been many themes released since I’ve last checked (afair over a year ago) or there just haven’t been any good themes that were submitted and accepted at AGO. To verify that, I’ve taken a look at the gnome-look.org themes-section and proved my assumption true: I browsed through the first few pages of the GTK 2.x section and my eyes began to hurt. Then, I sorted the section to start with the highest-rated themes and my eyes hurt even more. One theme was – in the matter of quality and usability – worse than the other. Everywhere you looked only rough-cut pixmaps thrown together, added some really-not-looking-good background images to the menus and the window elements themselves and finished it all up with a foreground-color that either provided an exaggerated or an awfully low value of contrast. Meh.

The bummer is, that the majority of all themes look like that and only a few ones, mostly created by known artists like roberTO, Jakub and others really look tasteful and qualitatively good. In my opinion, this was and still is a major problem of the whole OpenSource community. OpenSource gives you the power to choose, modify and re-distribute, but I guess that exactly this power is being used in a wrong way – not only in the matter of control themes!

In general, especially within the Linux area, there are nearly no standards. Spoken from the designers’ view, there are not enough definitions like the GNOME UI-Design Guideline or the Tango Project, which try to convince and help the developers and/or designers to draw qualitatively better themes while still keeping up the freedom to choose and create. Of course, this won’t stop misbehaving designers to submit themes to un- or sloppy-moderated sites like gnome-look.org, but still it would provide the GNOME folks a “pressurizing medium” to say “You make it the good way, your theme might make it into our official project releases or at least on the cover of the official sites!“.

Though, for a real GNU/FSF-guy this way might sound like to much of “controlling” and “regulating” and by that lead to an operating system like for example Mac OS X (no, not Windows, there you have an even bigger problem regarding applications that look totally different than others) is. Still, most of these guys forget, that without at least a little bit of guide-lining, regulating and separating the wheat from the chaff especially the Linux Desktop will never make it into a higher market-share. There definitely is a reason, why companies like Novell and Red Hat keep up the hard and cost-intense work on their own UI-designs and improvements. If you want the users to be convinced about using a clean and stable operating system, you cannot simply stick with a UI on which the users’ thoughts are “Uh.” from the first click they’re doing. And of course, tastes are different and each user has a different one, but in one point all users will share the same opinion: An UI needs to be tidy and neat. No pixels. No exaggerated anti-aliasing (which should be better called “blur” in 90% of the existing GTK themes). Just a sleek and intuitive interface with clean structures and without distracting or even deranging elements (… like black backgrounds, white foregrounds and pixmaps that remind you of some white-noise-graph).

On software techniques the GNOME community seems to finally has understood what KDE is doing for years now already. There has to be a clean infrastructure (or backbone or whatever you’d like to call it) for solving problems and providing features. GNOME has started the move to GStreamer some years ago and now finally also moved to a backend (PulseAudio) which provides such an infrastructure. Also, introducing D-BUS and the HAL was a big step for the whole Desktop-Project, and the Gnome VFS seems to be trying to really compete with KDE’s now. So, as it seems, developers have finally recognized, that (especially in enterprise use) a desktop with no integration and where each application works different and uses a different infrastructure for providing audio, video or whatever else will never succeed against “the big ones”.

Unfortunately, in the matter of UI design, it still seems to take a while until contributors understand that it’s worthless drawing themes that look like Vista’s interface printed on a dot-matrix printer. By that, users of other desktop systems will always keep looking and thinking of Linux to be an unstable and totally not-integrative desktop-system, hacked together by some crazy, long-bearded freaks. Because for low-brown users, the UI is an essential element that helps them deciding whether a system looks usable to them or not. With an interface where each application looks the same, acts the same and allows the user to get this work done in an undisturbing way – and maybe adds a little bit of pleasure with smooth and clean looking effects (and by that I don’t think of wobbly windows!) – even someone that’s new to the matter will be able to get in touch with it quite fast.

I’m still waiting for the day on which especially GNOME’s interface-nazis finally make the move and decline all applications that do not strictly follow clearly defined designing guidelines for a clean and usable UI – even if it would throw out half of the applications shipped with a regular GNOME desktop (like Pidgin, OpenOffice.org, and so on…). Until then, I guess that Linux itself can be as solid as a rock, as fast as a lightening and free as free beer – it won’t be able to increase its popularity and climb the higher market-shares. Just because of the “look and feel”, which sometimes is just more important then pure functionality. Else, we would still be working on the CLI, wouldn’t we?

// btw: This is my 500th post I’ve been writing within over four years now already. Heh.

I’m using the service for the first time on a Mac, since at work I only tested out their functionality under linux and had quite some problems with S3. Amazon’s Simple Storage Service is pretty cool regarding their pricing and provides a very acceptable up- and download speed – other than for example my Strato FTP does. The only complicated thing for somebody who’s new in that domain might be the “How do I start?“-point. S3 uses a “web-interface” which communicates using a documented REST-API. Unfortunately, under Linux there aren’t many clients which actually can communicate with this interface. Actually, I’ve only found the S3-Firefox-Plugin, which provided a way to maintain the different buckets and their content. Under OS X, there are some more (mostly Java-based) clients, including the native Cyberduck more-than-FTP client, what surprised my pretty much. This was actually the point where I’ve switched from Panic’s “Transmit” to Cyberduck, by the way.

However, I created my own buckets and uploaded some content to use it as web-share and test out a bit more the speed it provides. One con I’ve found up to now is the bucket-naming. Your personal bucket subjects a global namespace, what can lead to period of time needed for finding a name which is not occupied yet. This makes it for example pretty hard to automize bucket creations, for using them in an own Cloud-Service.

Besides, the EC2 is pretty cool, too. It provides a very flexible and (in comparison to S3) very automatable solution for cloud computing in general. It’s very fast to set up a new instance of whatever linux or windows on EC2 and run the stuff needed on it. The only con is the pricing, I guess – In my opinion it’s way too much for a Xen-I-think-it-is machine. For the price you would pay within one frequent month you could get a real root server at some hosting provider. Of course, you would lose the flexibility, but surely it depends on what you’re looking for.

In total, I’m really stunned of the infrastructure Amazon provides with their EC2/S3/etc. Services and I like the smooth way everything works out on them. I could really think of some cool projects to realize on top of these services… hm.

Maxdome Requirements

So, since I have my “new” internet-connection/-contract for some months now already, I just thought to try out the service it comes with, named “Maxdome”. This seems to be some kind of portal for watching television shows and even movies online – with some pay-per-view concept. My contract however includes some free shows and movies within this service, which I wanted to taste.

The first thing I did was to run the hardware-check provided on the service’s site. This actually resulted as display in the picture on the left. I was a little bit confused when I read the “Windows 98″ requirement listed within the hardware-requirements – but eh. So this test told me, my Mac was not compatible with their service – unfortunately it didn’t tell me the exact reason why.

So I just tried to watch a show. I clicked it and… well. I got the reason that made it impossible for me to watch the stuff provided by Maxdome. As it seems, there’s a need of some Windows Media Player Internet Explorer plugin, which actually makes it possible to play the DRM-content provided by Maxdome. Within the FAQs there even was the question about watching Maxdome’s content on a Linux or a Mac. The simple answer by Maxdome was: Nope, it’s not possible, unless you find a way to get an IE with the needed plugin running – e.g. using a virtualized Windows.

This is really great! So let’s just calculate a bit: A Windows XP Home installation CD + valid license costs nowadays around €80, plus maybe three or four € delivery/transport. A VMware Fusion license costs another €80, fortunately there are no shipping costs. In total, we end up with €164. After spending that money, plus around two hours for the installation and configuration of the VM/VM-Guest we can (maybe) finally play the content provided by Maxdome. Hurray.

Now, assuming that our local video rental store charges us €3 per day for a show/movie DVD (what would be pretty much, by the way), then we could take the money we spent on the VMware and the Windows XP license and borrow around 54 DVDs. If we now also assume, that we just found time to watch movies on saturdays or sundays (where we would pay €3 from saturday to monday!), we could watch movies for 54 weeks – what means that we would watch every weekend a movie, for one year and two weeks. And after that year, Maxdome starts to get interesting, because of the prices that would be half of the ones for a real DVD – but of course there would be no such quality as on a DVD either.

However, I hope you got my ironic way of getting this off my chest. I’m really pissed, and for sure I’m going to call my ISP and ask for quitting this service together with a price reduction at my contract – if that’s possible.

I can recognize some similarities there.

(and yes, installed Ubuntu 8.10 on VMware Fusion. Now I’m just building the VMware Tools for the Guest.)

conn nat-t
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
left=192.168.10.193
leftsubnet=10.1.0.0/24
leftfirewall=yes
right=%defaultroute
rightid=client@example.com
rightsourceip=10.100.0.2
auto=add

We added a new virtual IP (rightsourceip) for the client. The network of this IP will be defined on the server’s configuration. We need this for the whole scenario to work out, even if the client/Roadwarrior is behind a NAT. As rightid (client-id) we use the client’s e-mail address.
Server config:

config setup
plutostart=no

conn nat-t
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
left=10.1.0.4
leftsubnet=10.1.0.0/24
leftid=192.168.10.193
leftfirewall=yes
right=%any
rightid=client@example.com
rightsubnetwithin=10.100.0.0/24
auto=add


Here, we also defined the client’s e-mail address as rightid, defined that the right side could be anything (“%any”) and told the server to serve the virtual network 10.100.0.0/24 for the right side. By that, the configuration can be applied to different clients and the actual IP configuration is provided on the client’s side. Yet, I did not find out whether there’s a possibility to set up some DHCP server and provide connecting clients a dynamic address automatically.
However, this setup now also works with Roadwarriors that are behind NATs, what means that the actual setup could look like this:

[roadwarrior]—-[nat]—internet—[nat]—[server]—network

Isn’t this cool?
Enjoy.

Anyway, I flew over the release notes and I have to say that the whole stuff sounds pretty cool: ASP.NET 2.0 API, System.XML 2.0, System.Drawing 2.0, Mono.Cairo,C# 3.0 compiler with full LINQ support, Visual Basic 8 compiler (yay! :-D), the dotNET 2.0 Strip-Set, the FlowLayoutPanel and many more. So maybe, from this point maybe Mono could really become a real alternative to dotNET, if things keep going on like this.

However, I was wondering whether there are downloads for Mono on the Mac, but unfortunatelly the project doesn’t provide an installer for Mono 2.0 yet. Not that I would really use Mono-applications on my Mac (mostly because there still aren’t any available which use the Mac’s native interface toolkit – and I don’t really want to use GTK# on a Mac) but it would be nice for some little hacking or even writing smaller (CLI-) tools which would run on any Mono-able platform.

However, I think that the first thing I’ll do is to wait for the according packages to receive in Debian Experimental and set up some VM with an Apache that speaks ASP.net 2.0. I’m really interessted how far Mono already supports the ASP stuff and what could be done with it. The MojoPortal already is a great demonstration, but are more complex projects also possible yet?

I will see…

We’re in a network (in my example 192.168.10.0/24) and there are two components we focus on: One client (a Linux laptop, 192.168.10.184) and a VMware Server (192.168.10.193). On this server, we have a VMware NAT-Network (10.1.0.0/24), where the gateway is has the 10.1.0.2 and our JumpHost has the 10.1.0.4. The client (our laptop) now wants to be able to simply connect other hosts within our 10.1.0.0/24 network. Besides, it would be nice to have some kind of security in bewteen these connections. So what would be better than using a VPN?

Of course, we could use simple SSH tunnels or some OpenVPN setup – but this would be boring. So, we decide to to use IPsec. In detail, we’re using strongS/WAN to setup the whole scenario.

Now first of all we have two problems: First of all, we have a NAT (from the view of IPsec/IKE: NAT-Traversal) through which we can’t tunnel layer 3 protocols. The only thing we can do, is to teach our VMware Server to forward UDP or TCP ports to Guests.

The second thing that might become a problem is the fact, that we’re not using the IPsec daemon within the VM to distribute another network – instead we are distributing his own network. But however, enough with the talk, let’s do the work.

Thanks to Tobias Brunner and Daniel Röthlisberger, strongS/WAN experienced in 2006 the implementation of the NAT-T feature. This feature, allows to “tunnel” IPsec (a layer 3 protocol) through layer 4 (UDP). So the first thing we need to do, is to tell our VMware Server to forward the UDP ports 500 and 4500 to our JumpHost-VM. After we’ve done this, we can start setting up the strongS/WANs on the client and the JumpHost himself.

In this scenario I used Debian SID on both systems, since Debian’s current stable release provides only an very old version of strongS/WAN. So:

aptitude install strongswan

… on both systems. After that, we open the /etc/ipsec.secrets on both hosts and insert the following line:

%any : PSK "abcdefghijklmnopqer"

Of course, you can replace the key by your own one. After that, we take the ipsec.conf of the client and insert our configuration:

config setup
plutostart=no

conn nat-t
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
left=192.168.10.193
leftsubnet=10.1.0.0/24
leftfirewall=yes
right=192.168.10.184
rightsubnet=192.168.10.0/24
auto=add

As mentioned in the title, we use IKEv2. To simplify the scenario, we use the secret we just configured as authentication method. The configuration should be adaptable pretty easy for certificate usage.
On the server we now also insert our configuration into the ipsec.conf:

config setup
plutostart=no

conn nat-t
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
left=10.1.0.4
leftsubnet=10.1.0.0/24
leftid=192.168.10.193
leftfirewall=yes
right=%any
auto=add

After restarting both daemons, executing ipsec up nat-t and also ipsec route nat-t you should be able to ping the hosts on our 10.1.0.0/24 network.

The tricky part in this setup is the leftid= parameter in out server’s configuration. Without that option the whole authentication procedure doesn’t work out, because the daemon will complain to not have any configuration for “[192.168.10.184]…[192.168.10.193]” and because of that not let the client connect. The reason for this is, that the client only sees the NAT-Router (our VMware Server, .193) and of course tries to sets up the connection using his IP. The NAT-Router then forwards the requests to the actual strongS/WAN daemon (10.1.0.4) which of course says “Wtf?! I’m the 10.1.0.4, what should I do with this package I received for 192.168.10.193?”. And this where the leftid= parameter comes in.

However, I think the stuff should be more clear now. If there are any questions left, feel free to ask. Enjoy!

Anyway, so that’s actually the whole setup.

Is there anything in OpenSource that’s actually working without a compromise?

Anyhow, I’m not using the PCMCIA card because the internal WiFi module of my T40p is broken. I’m using it because somehow the network-manager (or the wpa_supplicant) doesn’t like my internal WiFi interface anymore and because of this of course struggles to connect to my access point. However, while writing this post now I’m just noticing – what a coincidence – that the wireless link keeps on constantly changing from 57% down to less than 30% and Last-Exit started studdering while playing music that sounds similar to The Timewriter. Argh.

However, at least my whole Laptop didn’t freeze yet, like it used to in the early days of ath5k or madwifi. Talking about freezing… the weather here became horrible. Well, actually it’s not that bad, yet, but I think I’m just still used to something between twenty to thirty degrees. And within a few days it changed from these values down to something around eleven degrees. I’m feeling like it would be winter and everything would be covered by snow. Brrrrrrr. I think I need some days to acclimatize myself to this temperatures,… but as good as I know the weather here, when I got used to the cold climate from one day to the other it will be like thirty degrees again and I will be like meh.

Oh well…

The second thing is the more and more used Shockwave/Flash stuff. With Firefox, I can play videos on YouTube smooth, fluent and with not-that-much CPU load, while the Epiphany nearly hangs up when playing such videos, produces a very high CPU load and the videos itselves studder so that it’s really no fun to watch them.

The third thing that became really annoying is the crashing. My Epiphany keeps on crashing while browsing especially sites with much content or Flash components. That’s really annoying, and the only advantage is, that Epiphany now aks whether to recover the lost session. But even this can become one’s doom when Epiphany re-loads exactly that site what made it crash and understandably hangs up/crashes, again. You can’t even click on the [X]-button, since the interface stops reacting as soon as it’s being displayed. It’s a bummer.

Now I’ve started using Iceweasel for sites that might crash Epiphany and became even more disappointed about the whole stuff. I thought that Epiphany using the Webkit version could maybe solve my problems, but unfortunatelly it’s still very unstable development code and besides, it doesn’t have any Flash-plugins yet. So I think I’m forced to start using Mozilla’s original, even if I dislike it. The freedom to choose (a.k.a. OpenSource) really is a big deal when you have ten products, out of which eight are not using the toolkit you’re working with/do not integrate at all into your desktop, and the preffered one of the two choices left doesn’t do the job at all. On this situation, I say, feel free to restrict me to one choice, which at least integrates and works the way I expect it – talking about Safari on the Mac.

By the way: Webkit is the way to go. Forget this damn Gecko engine.

hosts: files dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis

Btw: Don’t forget to put your secret into /etc/pam_ldap.secret! Anyway, let’s go on…
/etc/pam.d/common-account:

account sufficient pam_unix.so
account sufficient pam_ldap.so
account required pam_deny.so

/etc/pam.d/common-auth

auth sufficient pam_unix.so
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

/etc/pam.d/common-password

password sufficient pam_unix.so nullok md5 shadow use_authtok
password sufficient pam_ldap.so use_first_pass use_authtok md5
password required pam_deny.so

The common-session doesn’t need to be changed on the setup we need. Now, edit /usr/share/migrationtools/migrate_common.ph and change the domain to yours. With the tools (migrate_base, *_passwd, *_group) contained in that directory you can migrate your actualy existing /etc/passwd and /etc/group to your ldap. Or you just create these entries manually. However, now let’s load the apache modules:

a2enmod ldap
a2enmod authnz_ldap

… and reconfigure our WebDAV VirtualHost:

...
DAV On
AuthType Basic
AuthName "WebDAV"
AuthBasicProvider ldap
AuthLDAPURL "ldap://127.0.0.1/ou=people,[your base here]"
AuthLDAPRemoteUserIsDN off
ForceType text/plain
Require valid-user
Require ldap-filter &(uid=*)
...

And last but not least, let’s restart all servics:

/etc/init.d/slapd restart
/etc/init.d/nscd restart
/etc/init.d/apache2 restart

Voila! The authentication of your WebDAV against LDAP should be working now. Now the only thing that’s left to do, is to remove the user www-data from the shadow group again. And maybe you’d like to change your LDAP-user’s passwords:

ldappasswd -x -D cn=admin,[your base here] -W uid=[username],ou=people,[your base here] -S

And the next time, I’ll show you how you can build yourself an automatic back-scratcher using a wall, glue and a cat.

Thanks to tuhl for this info.

SSLEngine On
SSLCertificateFile /etc/apache2/ssl/my.serv.er.crt
SSLCertificateKeyFile /etc/apache2/ssl/my.serv.er.key
DocumentRoot /var/www/
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>

ErrorLog /var/log/apache2/error.log
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
</VirtualHost>

The certificate-folder needs to be created and the certificates need to be generated:

~# mkdir /etc/apache2/ssl
~# openssl genrsa -out /etc/apache2/ssl/my.serv.er.key 1024
~# openssl req -new -days 365 -key /etc/apache2/ssl/my.serv.er.key -x509 -out /etc/apache2/ssl/my.serv.er.crt

Next, we add the WebDAV/PAM settings to our SSL-VHost, while /home/pub is the folder we’d like to publish:

...
DAVLockDB /var/lib/apache2/DAVLockDB
Alias /pub /home/pub/
<Location /pub>
DAV On
AuthType Basic
AuthName "WebDAV"
AuthPAM_Enabled On
#AuthPAM_FallThrough Off
AuthUserFile /etc/shadow
ForceType text/plain
Require valid-user
</Location>
...

And last but not least, we (unfortunatelly) need to add the user www-data to the group shadow:

adduser www-data shadow

Now we can restart our Apache and enjoy the pleasure of WebDAV. If it should not work, check the permissions you set for the directory you’re publishing.
And what could this be used for? For example, as self-made iDisk.
Enjoy.