Tuesday, December 13, 2011

CyanogenMod 7.1 for Nexus One and Google Talk

I recently dumped the stock ROM on my Nexus One, after Google failed so many times to implement proper Arabic support and enable the FM radio, and installed CyanogenMod 7.1.0.

One issue is that the Google Apps bundle that is compatible with that bundle has a version of gtalk that is not compatible with the Nexus One, because the phone doesn't have a front camera.

I installed the latest gApps and then grabbed a Gingerbread stock ROM and took the talk.apk file from it and installed it. Now GTalk works.

The stock ROM is about 80 MB, so I took the liberty of uploading the file for you here:
talk.apk (600 kB): 67e322ecdd038cfc4344b6a5ee4cf1da (md5 sum)

Copy it to your SD card then open the file manager and install it.

Sunday, December 11, 2011

BarCamp Kuwait Three

Barcamp Kuwait three is coming up on January 7th, 2012! Register now (free).

Click here for details.

Saturday, December 10, 2011

Virtualization Workshop

Greetings humans and bots!

I'll be presenting and showcasing a VMware vSphere5 virtualization workshop at Kuwait IT Society in Rouda area on Wednesday at 7 PM.


What is virtualization? What does it have to do with cloud computing? What features does it offer? Is it worth the hype & the investment?
All of that & more plus a live demo of a VMware infrastructure in the session. No cats will be hurt during the demo.

Note: I'll briefly mention the differences between offerings from Citrix, RedHat, Microsoft, VMware & IBM, but most of the focus will be on VMware as it's my area of expertise.

The event is free for all to attend so feel free to invite others.

Saturday, October 29, 2011

Drizzle, NGINX, PHP and PHP-APC

Introduction

This is a guide/howto on setting up Drizzle database, Nginx webserver, PHP (CGI) and PHP-apc (bytecode cache) on Debian Linux 6 (codename Squeeze).

NOTE: If the guide is too messy to read here, head over to this Google Document for better formatting.

Why?

Apache and MySQL are quite heavy and MySQL has been becoming worse thanks to the idiots in Oracle. NGINX has been getting a lot of recommendations and it’s proving itself to be quite stable and faster than any existing webserver in the arena.

Drizzle DB is the child of the co-founder of MySQL after he left MySQL when Sun bought it. Its main focus is web applications, and easy replication of databases.

From preliminary tests on a non-optimized virtual machine, I was able to reach 800 requests/sec for read/write operations and 2400 requests for read-only operations, hitting my URL shortening web application on NGINX and Drizzle. My VM had 1 core and 512MB RAM, but only 69MB RAM was used during the tests!

Stress Test

Hardware: Lenovo laptop with an Intel(R) Core(TM)2 Duo CPU P8600 @ 2.40GHz, 6GB RAM, running Debian6 32-bit.
Software: VMware Workstation v7. The VM has 512MB RAM and 1 core allocated, running Debian6 32-bit (business card installation). VMware tools were not installed during the stress tests.

I had apc statistics enabled and access logging enabled in NGINX at first, but turning them off reduced load times from 126ms to 16ms for read/write operations and from 40ms to 4ms for read-only requests.

Read/write test: ab -c13 -n 10000 http://192.168.59.135/shorten.php?longurl=http://bit.ly
Requests per second:    789.07 [#/sec] (mean)
Time per request:       16.475 [ms] (mean)
Time per request:       1.267 [ms] (mean, across all concurrent requests)
CPU utilization: 25% Drizzle, 19% NGINX, 2.3% * 15 PHP CGI processes.

Read-only test: ab -c13 -n 10000 http://192.168.59.135/a
Requests per second:    2633.09 [#/sec] (mean)
Time per request:       4.937 [ms] (mean)
Time per request:       0.380 [ms] (mean, across all concurrent requests)
CPU utilization: 49% NGINX, 3.3% * 15 PHP CGI. Drizzle wasn’t showing in “top.”

The read-only test involved engaging a REWRITE rule from NGINX, which puts a tad bit more processing on its shoulders.

The numbers above are very specific to my application, but the numbers can be much better if I install VMware tools to provide VM optimizations, so don’t let the 49% CPU usage put you off.

0) Installation
0.0) Drizzle
Note: Drizzle relies on upstart, which means sysvinit will be removed.

First, add the PPA to /etc/apt/sources.lst using your favorite editor

      deb http://ppa.launchpad.net/drizzle-developers/ppa/ubuntu maverick main
      deb-src http://ppa.launchpad.net/drizzle-developers/ppa/ubuntu maverick main

Run:
      sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 06899068
      sudo apt-get update
      sudo apt-get install drizzle
(to continue, you’ll have to type ‘Yes, do as I say!’ excluding the single quotes)


0.1) NGINX
      sudo apt-get install nginx


0.2) PHP

      sudo apt-get install php5-cgi php5-mysql php-apc

The PHP extension for drizzle is available as a PECL but it’s not kept up to date & since we’re gonna compile either way, we’ll have to install some dev packages & a compiler. Those can (should) be removed after the compilation of the extension, if you’re doing this on a production box.
      apt-get install php5-dev libdrizzle-dev make

This is to fix a bug in the configure script looking in the wrong place
      ln -s /usr/include/libdrizzle-1.0/libdrizzle /usr/include/libdrizzle


Grab the latest stable Drizzle PHP extension from here: https://launchpad.net/drizzle-php-ext
      wget http://launchpad.net/drizzle-php-ext/trunk/0.5/+download/drizzle-php-ext-0.5.tar.gz
      tar -zxf drizzle-php-ext-0.5.tar.gz
      cd drizzle-php-ext-0.5
      ./configure
      make -j2
      make install


Let’s clean up after the mess
      make clean
      apt-get remove php5-dev libdrizzle-dev make
      apt-get autoremove
      rm -I /var/cache/apt/archives/*

In my case, the modules were copied to: /usr/lib/php5/20090626+lfs/  and the module drizzle.so is ready to be included in php.ini later.

Resources:

http://www.phptutorial.info/?apc.configuration
http://devzone.zend.com/article/4793
http://php.net/manual/en/install.pecl.phpize.php
http://chrisschuld.com/2007/07/missing-phpize/

1) Configuration
1.0) NGINX

The configuration of nginx is not a standard process. Each website may have its own specific setup & needs that one would have to tweak the settings around to fit one’s needs. Make sure you refer to the referenced links to see all available options and things to avoid doing.

I’ll include my own configuration changes here and not the full configuration file.

Modify the file /etc/nginx/nginx.conf
   worker_processes 3;


   error_log /var/log/nginx/error.log;
   pid /var/run/nginx.pid;


   events {
       worker_connections 1024;
       multi_accept on;
   }


   http {
       include /etc/nginx/mime.types;
       access_log off;
       # if you want to have an access log, comment the line above and uncomment the following one
       # access_log /var/log/nginx/access.log;


       sendfile on;
       tcp_nopush on;
   }

Modify the file /etc/nginx/sites-enabled/default
   index index.php index.html index.htm;


   server {
       # this block redirects all connections to www.domain.com to domain.com 
       # this is handy for cache configurations like Varnish & for statistics
       # if you prefer to view your site as www.domain.com, swap server names
       listen 80;
       server_name www.domain.com;
       rewrite ^ $scheme://domain.com$request_uri redirect;
   }


   server {
       listen 80;
       #listen [::]:80 default ipv6only=on;


       server_name domain.com;
       root /var/www/;
       #access_log /var/log/nginx/localhost.access.log;


       location / {
           try_files $uri $uri/ /index.php;
       }


       location ~ \.(jpg|jpeg|gif|png|css|js|ico|xml)$ {
           #I don’t want it to search for directories so I removed $uri/
           try_files $uri /index.php;
           #enable this if you enabled access logging previously
           #access_log off;
           expires 30d; #useful for caches
       }


       location ~ \.php$ {
           try_files $uri /index.php;
           include fastcgi_params;
           # unix sockets are faster & better than binding to a port
           fastcgi_pass unix:/tmp/php.socket;
       }
   # remember to include other settings from the original config file
   }

Modify the file /etc/nginx/fastcgi_params
   fastcgi_param  SERVER_SOFTWARE    nginx;
   fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
   fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;



Create a new file /etc/init.d/php-cgi
#!/bin/bash
BIND=/tmp/php.socket
USER=www-data
PHP_FCGI_CHILDREN=15
PHP_FCGI_MAX_REQUESTS=1000
 
PHP_CGI=/usr/bin/php-cgi
PHP_CGI_NAME=`basename $PHP_CGI`
PHP_CGI_ARGS="- USER=$USER PATH=/usr/bin PHP_FCGI_CHILDREN=$PHP_FCGI_CHILDREN PHP_FCGI_MAX_REQUESTS=$PHP_FCGI_MAX_REQUESTS $PHP_CGI -b $BIND"
RETVAL=0
 
start() {
      echo -n "Starting PHP FastCGI: "
      start-stop-daemon --quiet --start --background --chuid "$USER" --exec /usr/bin/env -- $PHP_CGI_ARGS
      RETVAL=$?
      echo "$PHP_CGI_NAME."
}
stop() {
      echo -n "Stopping PHP FastCGI: "
      killall -q -w -u $USER $PHP_CGI
      RETVAL=$?
      echo "$PHP_CGI_NAME."
}
 
case "$1" in
    start)
      start
  ;;
    stop)
      stop
  ;;
    restart)
      stop
      start
  ;;
    *)
      echo "Usage: php-fastcgi {start|stop|restart}"
      exit 1
  ;;
esac
exit $RETVAL

Run the commands:
      chmod +x /etc/init.d/php-cgi
      update-rc.d php-cgi defaults
You are now able to start the php cgi service: service php-cgi start

References:

1.1) PHP
These are minor modifications and you should take an overall look at the config file to see if you’d like to make any other changes.

Modify the file /etc/php5/cgi/php.ini
      ; this prevents PHP from executing scripts uploaded by users into image directories
      cgi.fix_pathinfo=0
      ; required for security reasons on CGI deployments
      cgi.force_redirect=1
      expose_php = Off
      ; original value is 128M which in my opinion is too much
      memory_limit = 64M
      ; before the File Uploads section, add this
      ; apc settings
      apc.shm_size = 32M
      apc.stat = 0
      ; before the Module Settings section, add this
      extension=drizzle.so

References:
http://devzone.zend.com/article/12618
http://www.phpjabbers.com/measuring-php-page-load-time-php17.html

1.2) Drizzle
Run:
      mkdir -p /home/drizzle/db/.temporary
      cp -Rv /var/lib/drizzle/* /home/drizzle/db/
      chmod -R 750 /home/drizzle
      chown -R drizzle:drizzle /home/drizzle
      mv /etc/init/drizzle.conf /etc/init/drizzle.conf.orig

Make a new file: /etc/init/drizzle.conf
      # Drizzle Service

      description     "Drizzle Server"
      author          "MBH "

      start on runlevel [2345]

      stop on runlevel [016]

      expect fork
      script
          DRIZ_VARS="--user drizzle --datadir /home/drizzle/db --drizzle-protocol.port 3306"
          start-stop-daemon --quiet --start --pidfile /home/drizzle/db/drizzle.pid --chuid drizzle --group drizzle --startas /usr/sbin/drizzled -- $DRIZ_VARS
      end script

Notes:
  • Drizzle doesn’t support unix sockets to make sure applications connect to 127.0.0.1 rather than localhost, if the DB is local.
  • The drizzle username created in Debian doesn’t have a shell nor a home directory, and it should remain this way.
You can now start poking with Drizzle and make your own applications. Here’s a link for a quick usage of Drizzle and PHP: http://devzone.zend.com/article/4793

References:

Monday, October 24, 2011

Kuwait Traffic Jam Survey for 2011

I created a quick survey (Arabic) to measure the sources, destinations and times of traffic in Kuwait. The survey is 14 questions only, so kindly answer them and spread the link around. Thank you!




The results will be posted on http://www.mbhbox.net later on when enough data has been collected.

Thursday, October 13, 2011

Mobile Apps Development Discussion Panel

Ahmad Al-Ibrahim, co-founder of Koutbo6.com, is moderating a discussion panel about Mobile Apps Development which is hosted by KITS (map) on Tuesday Oct 18 7:30PM-9:30PM (calendar event).

The event's guests/speakers are:
  • Abdullah Al-Khulaifi
  • Abdulrahman Al-Zanki
  • Hussain Al-Bustan
  • Fahad Al-Mudhayan
  • Mohammad Al-Meer
This is a public event and everyone is free to come & invite others, too!

Questions for the speakers can be asked from now and the moderator (Ahmad) and the audience will vote on which questions to be asked: http://goo.gl/fcSgG

Thursday, October 6, 2011

Viva's Insecure Online Payment System

Viva's website allows you to pay your bills using credit cards like VISA or MasterCard, or the regionally accepted K-Net. In the case of VISA and MasterCard, Viva pushes the data (your phone number, email, credit card number, expiration date, cvv code) in clear text, without encryption!

In any website that takes payments or has a user authentication portal, should offer a secure channel using SSL/TLS and the user sees the link starting with "https." In addition, current browsers show part of the address bar in green when the browser is able to verify that the website is secure and it is who it claims to be.

A friend was worried as she didn't see "https" in the URL, so I checked the pages' source code to see if it was sending the data in a secure channel via javascript or some other mean, without showing it in the URL, alas, it was all in the clear text.

Here's a screenshot of a sniffed packet session from my machine to viva.com.kw (94.128.1.30), while submitting the form data.


This is some of the text from the packet (I removed my personal data):
prepRechargeCreditForm%3Aholder=Mojo+Jojo&prepRechargeCreditForm%3AcardNumber=4550xxxxxxxxxxxx&prepRechargeCreditForm%3AyearList=XY&prepRechargeCreditForm%3AmonthList=XY&prepRechargeCreditForm%3Acvv2=XYZ&autoScroll=&prepRecharg

I have contacted VIVA Telecom and Mr. Salman Al-Badran (CEO) via Twitter  on Saturday Oct 1st (when I found out about the issue). Mr. Salman replied on the same day and said he'll forward it to his team. I also gave him my email address in case his team wanted to get in touch with me.

Three days later I told Mr. Salman that the problem is still there and that I'll publish my findings on my blog next Sunday (a week from reporting the issue). He replied saying it'll be fixed on Oct 6th.

[this is fixed now] I checked today (Oct 6th) and the form now redirects to a secure website (https). The address bar may not always appear in a green color; In that case, do not use the website, but instead, refresh or try again until the icon looks like this:  not like this . Description of these can be found here. (the two images were produced by Google.)

[this is fixed now] Also, it seems like the changes they made broke the form in the main page, which sends the @ sign of the email address in hex form (%40). Just change the %40 to @ and submit the form again and it'll work.

I'd like to thank Mr. Salman for his prompt response to the matter. I wish other enterprise corporates' CEOs were as attentive and interactive with the consumers as he is. I would also like to point the finger at the technical team and the audit team who let this one slip by! This is a trivial and pivotal requirement of any online payment system!


What kind of complications the insecure site would have?
An attacker in the same network as you are can capture clear text that is being sent from your machine/mobile to the website. That's why the data shows in clear text in the picture above. If the connection was secure, it would have been garbled.

If the address bar showed in red, it is still possible to attack a visitor from the same network, by altering the content that is being transmitted via insecure channels, which could lead to changing the form itself and the user would end up sending the data to a different script/page or a whole different website that the attacker crafted to collect the data.

Monday, September 26, 2011

Botamba Owns Your Twitter Account

Updated
Scroll to the bottom for the updates.


Botamba.com is a blog aggregator and it used to allow creation of users and then each user would link his/her blog(s).

I checked yesterday after a friend mentioned it redirects to twitter now, and it seems like they did changed their methodology to requiring Twitter and it asks to allow their application to access your Twitter account!!! It was based off a typical user/pass authentication previously.

What's worse is that their application gets the following permissions:
  • Read tweets from your timeline (even if it's private)
  • See who you follow, and follow new people
  • Update your profile
  • Post tweets for you
It can not do the following:
  • Access your direct messages
  • See your Twitter password

Why does a blog aggregator needs access to my Twitter account, see my timeline, post for me, update my profile & other privileges?! That's a massive privacy invasion, even if it provides certain ease of use for some users (to use their existing accounts).

If you did not know about this, and you've already allowed Botamba to access your account, you can deauthorize it by going to your profile settings, applications and deauhorize it from there.


So what could Botamba do?
They can get your tweets and follower list and sell that information to advertisers (currently sponsored by Zain). Advertisers can use the info to send you targeted advertisement by reading your tweets and seeing where you have been or what you liked and talked to with your friends.

How can I tell if Botamba posted on my timeline?
Some Twitter clients show the name of the program that posted on the timeline. In this picture you can see under the tweet the line "from TweetDeck." That's the name of the program and in case of Botamba, you'll see the line "from Botamba."

Solution?
Ask Botamba to NOT use Twitter for authentication & not invade your privacy (even if they *promise* they wouldn't), and ask them to put back the old user registration system, or use OpenID instead.

I'm waiting for a comment from Botamba on this issue to see what they have to say about this.

Update:
- Oct 4th: Botamba has deployed a user/pass authentication system. You can link your Twitter account but it gets read-only access to your timeline
- Oct 5th: Botamba's valid reasoning in using Twitter account-linking: If you own a public Twitter account that you'd like to be mentioned in Botamba's tweets/posts, you can link it to your account (read-only mode & only reads your public timeline). If you have a private account, you wouldn't want it to be public & tweet it, so you won't add it.

In the end, I'd like to thank Botamba for being responsive and understanding to the sensitivity of users' privacy!

Thursday, September 1, 2011

SSL Certificates Stolen

The issue of DigiNotar's breach keeps getting worse; Computer World writes that over 200 SSL certificates have been generated & stolen, signed for Google, Yahoo, Mozilla, Tor Project among many others.

Google & Mozilla have updated their browsers to remove the affected certificates/invalid signatures, but in the latest build of Chrome on Linux (13.0.782.218) I still see DigiNotar as a CA.

I suggest you delete DigiNotar from all your browsers as it's not worthy of trust at the moment. Remember, if you update your browser, double check its existence as it may be added again by the update.

Wednesday, August 3, 2011

Designing Software For The Poor and The Rich

This is just a quick post of an idea I got today about how to kind of "force" people into buying/supporting software companies.

Many a time I come across some software that I need to use only once, or maybe a few times a year only. I don't see a need to pay for that, but maybe someone who uses it very often *should* buy it.

The idea is to create software that gradually slows down (i.e., functions slower/take more time to execute the same functions) the more you use it. If left unused for a while, it gains speed gradually.

This would come in handy for those who use software for commercial use, as they'd be running it very often, unlike hobbyists or one-time users.

I do admit, this is an annoying and evil idea, but there are users out there who don't bother donating for free software that they use very often, yet keep ranting at its bugs!

Oh, and if you're wondering about how the title doesn't fit and it should've been "The Casual & The Avid," well, if you're poor, you won't pay and you'll suffer the slowness. Much like with cars.

Monday, June 20, 2011

MtGox Compromise And What It Means To Me

MtGox is a BitCoin Exchange Market for the BitCoin digital currency and I have read about BitCoin last year but waited for it to mature before stepping into the market.

About two weeks ago I invested in MtGox about $880 USD and 2 days later a Distributed Denial of Service (DDoS) attack was launched at MtGox. I did some reading and it wasn't the first time they were under attack and they had everything secured and well planned so I wasn't worried.

The market volume suddenly increased with massive quantities flooding the market, followed by a market crash (prices dropped to $13/BTC where the price previously was $17). MtGox closed the market and halted all transactions. Apparently, they were compromised.

I panicked at first as I couldn't access my account on MtGox (they froze all) and they said they were going to do a roll over, which means undo everything and return to the state before the crash.
I wasn't happy because I didn't know the state of my money & coins, and those who bought coins at cheap prices could have withdrawn the coins from the market which means there is no way to trace the coins nor return them.

I still don't know how will MtGox deal with those who bought cheap coins & withdrew them, but if they do a roll back, they'll get their money/coins back to what they had before the crash, in addition to the coins they withdrew! That means extra profit! Unless they monitored the withdrawn amounts from each account and will balance those out.

Anyway, I searched for my username on Google in relation to MtGox but nothing came up. Maybe Google didn't have time to index all pages, they're underground or maybe my user wasn't affected. Either way, my account will be rolled back and the password I used was unique to MtGox itself, so the attackers can't access my email or any other service associated with my email.

Moreover, MtGox has switched to an obscenely secure password hashing scheme: SHA-512, along with contacting GMail and providing them with a list of compromised email addresses so GMail could block them and require a password reset before accessing them (I was one of those affected).

MtGox keeps updating its post with news of what they're doing so they've not neglected their customers, even when under such a big stress.

In my opinion, I'm sticking with them because only at rough times you'll see what a good company can do for its customers, and while there are inconveniences, the overall success of containing the situation was successful.
Perhaps people would have felt much better had MtGox shared how it manages its systems and what kind of security schemes are implemented so that we know they can be trusted. I hope they do that soon.

Away from MtGox, and in general, those who know me well know pretty well that I'm a paranoid person when it comes to computers and being online. Below are some of my practices for staying safe:

  • Different passwords for different accounts.
  • If I forgot a password, it's OK, I request a password reset.
  • Passwords are at least 10 camel-cased alpha numeric and special characters.
  • My passwords are a mixture of meaningful words forming a non-meaningful sentence: R0undTomatoe$Insid3Triangl3Whalez
  • Always check my emails from my own systems & never someone else's (not even family or friends).
  • GMail shows you the list of IPs of who last accessed your account & alerts you on suspicious access.
  • When you create an account at a new site, request a password reset; if they send you the exact password in plaintext, close your account. They're not securing their database & don't care about your account security.
    If they send you a link to reset the password, or email you a randomly generated password, then you're fine.
  • Use different browsers: One for your accounts and another browser for everything else.
    I use Chrome for GMail and Twitter. All links in emails or tweets are opened in Incognito mode (separate/isolated processes from the main) or in Firefox.
  • I use Linux. No Windows or Mac for me, and please don't laugh at Windows if you're a Mac fanboy, Mac OSs are less secure than Windows but aren't targeted as much because you're a minority.
  • If you have to use Windows, use a good antivirus. I put Kaspersky on my family members' machines. I had used it for companies and fully trust it.
  • Do not open emails from strangers.
  • Emails that say they're from good & honest people are most likely aren't.
  • Email that come from addresses of people you know aren't necessarily from them. The addresses can be spoofed, i.e., I can send you an email from your account without accessing your account. Magic.
  • If someone you know asks you for your password or to install something you don't know about, call them and ask them in person.
  • If you read online about a nice service that you use that isn't secure, you better not shrug it off and say that you won't be affected. That's how everyone gets slapped in the end.

I probably have other habits that don't come to mind right now. If you have any suggestions, leave a comment (you can do so anonymously) and I'll be more than happy to add it to the list.

Live paranoid. Live safe.

Tuesday, June 7, 2011

Kuwait ISPs Capping Bandwidth

Updated1: Tuesday 7th, 8:44 PM

Update2: Wednesday 8th, 8:17 PM

ISPs in Kuwait have decided to gang up on residential consumers rather than step up to the Ministry of Communication's abuse. After all, it's easier (and cheaper) for multi-million companies to bully users rather than file a lawsuit against a ministry.

ISPs have setup what they call Fair Usage Policy, where they claim they have generously defined daily bandwidth cap/limits on users, to ensure that everyone has a pleasant experience. They have enforced this policy, WITHOUT NOTIFYING USERS!

Fair Usage Policies: QualityNet, KEMS, FastTelco and GulfNet. As you can see, some have blatantly put up the caps and others are doing it subtly without mentioning what the caps are.

According to them, "some" bandwidth abusers are the cause of this, as such, everyone must suffer!
It is not enough that they have increased their prices by at least 70% this year (February 2011), the increment was approved by the Ministry of Communications, and now the ministry is saying it'll fight the price increments!!! WHO THE HELL DO YOU THINK YOU'RE FOOLING?

In addition to the high prices and bad service, consumers were never compensated during the days of degraded service when there were regional cable cuts, which lasted for about 3 weeks.

If ISPs are saying that a few abusers have caused this, then why provide them with bandwidth if the ISPs can't handle it? Don't provide 24Mbps if you don't expect users to download at 24Mbps!!!

Speed (Mbps)Max Downloadable/Day (GigaBytes)New Cap Limit/Day (GigaBytes)
110.541.7
1.515.821.9
221.12.9
331.643.8
4424.7
552.735.4
663.36
773.836.8
884.47.9

The formula is: Daily maximum downloadable content = (Speed in Mbps/(8*1024))*3600*24

As you can see, we're getting barely 15% of what we paid for! And that's FAIR! Take a look at this nice table for more info.

Consumers are enraged and are forming an alliance to file lawsuits against the ISPs to fight for their rights. It doesn't matter if the contract mentioned Fair Usage or not, it doesn't matter if the contracts says it can be updated without prior notice or not, you cannot rip us off like that.

We have games to play online, buy & download games online (via Steam), rent movies online (iTunes, YouTube, NetFlix and Hulu) and watch many kitty-infused videos on youtube, in HIGH DEFINITION.

ISPs do NOT get the right to define what the Internet is.

Update1: We're using the hash tag #q8cap on Twitter to rant and disclose information about the topic.

Update2: @justjimmar provided a chat log with KEMS on Facebook. Ridiculous reasons for the cap! (original link to chat log)

Tuesday, March 29, 2011

PXE Installation of VMware ESXi 4.1

Introduction

Installing ESXi on multiple hosts at the same time over the network is achieved through PXE booting. Unfortunately many of the guides I found online take a long route to setup PXE booting on Linux and install multiple programs, each with its own config file which complicates the matter.

I chose to use DNSmasq because it provides DHCP, DNS, PXE & TFTP services all in one program. In addition, thanks to Simon, he added a feature where you could assign IPs sequentially rather than based on the Mac address. Read here for details.

This mini-guide assumes the use of Linux. If you're a Windows user, I suggest you use 3C Daemon tool from 3Com which offers DHCP, FTP, TFTP & PXE services for Windows.

I have setup a virtual machine dedicated to PXE booting & installation to make it portable & share it with others. Feel free to run your tests on a VM or a physical box.

Requirements

  • Linux OS. My choice was Debian.
  • VMware ESXi Hypervisor ISO file.
  • Internet connection.
  • pxelinux.0 file from syslinux version 3.
  • Chocolate chip cookies. mmmmm.

Installation & Configuration

0] Install the operating system (Debian) and setup a static IP on the NIC.
1] Edit the file: /etc/network/interfaces -- My editor of choice is nano.
auto lo
iface lo inet loopback

allow-hotplug eth0
iface eth0 inet static
   address 10.172.0.250
   netmask 255.255.255.0
   gateway 10.172.0.254

2] Run the command: service networking restart
Note: In the initial setup, put the IP above to match your network to be able to download then change it once you're done with this guide to the above to avoid conflicts with any network.

3] Install apache and dnsmasq: apt-get install apache2 dnsmasq
4] Edit: /etc/dnsmasq.conf
dhcp-range=10.172.0.1,172.10.0.100,255.255.255.0,infinite
dhcp-option=66,10.172.0.250
dhcp-option=67,"pxelinux.0"
dhcp-boot=/srv/tftp/pxelinux.0
enable-tftp
tftp-root=/srv/tftp

Note 0: The IPs above do not need to match your network.
Note 1: "infinite" is the lease time. The ESXi installer invokes a lease-release token which will cause the IP to be used by another host. I did not want that to happen because I have scripts assigning hosts their IPs sequentially.

5] Create the directory structure: mkdir -p /srv/tftp/pxelinux.cfg

6] Download syslinux v3, extract pxelinux.0 & put it in /srv/tftp: wget <URL>
7] Extract the files: tar -xf <File name>
8] Copy pxelinux.0: cp ./syslinux-3.86/core/pxelinux.0 /srv/tftp/
9] Create PXE boot file: nano /srv/tftp/pxelinux.cfg/default and edit it:
default esxi_scripted
label esxi_scripted
   kernel vmware/esxi411/mboot.c32
   append vmware/esxi411/vmkboot.gz ks=http://10.172.0.250/ks.php --- vmware/esxi411/vmkernel.gz
   --- vmware/esxi411/sys.vgz --- vmware/esxi411/cim.vgz ---
   vmware/esxi411/ienviron.vgz --- vmware/esxi411/install.vgz

prompt 0
timeout 10

Note: Make sure all of the append parameters are on one line. It may pan out here due to little page width.

A] Edit: /var/www/ks.php
accepteula
rootpw password
autopart --firstdisk --overwritevmfs
install url http://10.172.0.250/vmware/esxi411
network --bootproto=dhcp --device=vmnic0
reboot

The above is a kickstart script which the ESXi installer will execute. These are the defaults that are found in the PXE Guide by VMware.
Note: This will install to the first disk detected by the BIOS and will overwrite existing VMFS filesystems.

File Preparation

B] mkdir -p /srv/tftp/vmware/esxi411
C] Copy the contents of the ISO file to the directory above. You can mount an ISO by: mount -o loop /path/to/isofile /mnt. The files will be in /mnt: cp -Rv /mnt/* /srv/tftp/vmware/esxi411/
D] Link to vmware directory: ln -s /srv/tftp/vmware /var/www/vmware
E] service dnsmasq restart

By now, things should be good to go!

Caveats

  • If you set this in a VM, keep the NIC disabled by default to avoid wiping systems by mistake and broadcasting DHCP over the LAN.
  • If using a VM, the physical adapter must have a static IP not set on DHCP
  • To reset the list of leases: echo "" > /var/lib/misc/dnsmasq.leases

This shows a very basic and default setup of installing ESXi over multiple boxes. Hopefully I'll have the time to post my custom scripts that integrate into the kickstart script to auto-assign IPs, VLANs, and a few more tasks to streamline the installation.

Sunday, March 13, 2011

BarCamp Kuwait Two

The 2nd barcamp is being planned and we're looking for people interested in participating with presentations to make our reservations. You're welcome too if you'd like to just attend!

Details about the event: http://goo.gl/DuLTu -- Please make sure you fill in the form at the end of the page!

What is BarCamp? An ad-hoc gathering where people present their projects and experience in the IT field. We usually have key speakers and then The Grid, where other speakers arriving to the event reserve a slot to give their speech. Slots are first-come-first-serve.

Saturday, March 12, 2011

DNSmasq Offers Sequential IP Addressing

A few days back Simon, the developer of DNSmasq, added an option for DNSmasq to serve IPs in a sequential manner rather than based on a hash of the MAC address, upon my request.

He was kind enough to implement it, allowing me to use DNSmasq as a DNS, DHCP, PXE & TFTP daemon for my VMware ESXi automated deployments.

This feature is available in version 2.58 test 4. I tested it on a bunch of virtual machines simulating an ESXi installation and everything went smooth.

I have to note: If you're using it for ESXi deployments, you may want to set the lease expiration time to infinite because the ESXi installer sends a lease release after the installation is done, causing subsequent hosts to get the same IP.

Big thanks go to Simon!

Friday, March 4, 2011

VMware ESXi 4.1 on IBM BladeCenter with Nortel Switches

Update: We resolved the issue permanently and I understand what was going on, but have little time to post everything soon. If you're in a hurry and want help, leave a comment or email me.

One of our customers purchased two BladeCenter H Chassis for deploying VMware on them. Each chassis came with two Nortel switches providing 2 internal ports and 9 external ports. The external network ports are: 3x 10Gbit and 6x 1Gbit.

The customer has a physically isolated DMZ network, so one 1Gbit port from each switch was dedicated to a DMZ switch (VLAN1).

The client had purchased only 2x 10Gbit SFPs, so the third port was empty and won't be used in this setup.

To make use of VMware's Virtual Switch Tagging (VST) network concept, the switches which the blades have to be connected to must be configured as a trunk and allow the required VLANs to pass. Also, the Nortel switch on the BladeCenter must be configured to pass those VLANs, for both external and internal ports.

The following VLANs were created:

  • Management
  • vMotion
  • Fault Tolerance (FT)
  • Virtual Machines
After configuring the external and internal ports of the Nortel switch to be part of those VLANs, a strange problem popped up: I couldn't ping or reach any of the ESXi hosts in any way, unless I pinged my workstation from within the ESXi server first!

To make matters clear, here's how things were connected:
My workstation -> Server Farm Switch
BladeCenter -> Server Farm Switch

Ping from workstation to any ESXi host: Fails
After 1 ping from an ESXi host to my workstation: Succeeds, and all pings from my workstation to that specific ESXi host go through.

Also, even after traffic is established and I connect using vSphere Client, it disconnects me after about 15 minutes and I can no longer communicate with that host until I ping my workstation from that host again!

After poking around for hours, the solution was to take one external port (1Gbit) out of all VLANs except 1. That is, that port must not belong to any VLAN except VLAN1 (untagged). Doing so, allowed us to communicate with all servers smoothly.

I still don't understand why that worked and whether traffic is now passing through the tagged external ports or that specific untagged port. I'll be doing more investigations next week and update this post.

Monday, February 14, 2011

P2V Conversion of OEM Windows Systems

A physical to virtual conversion of a machine running an Original Equipment Manufacturer (OEM) Windows license will not be without hiccups.

Because the OEM validates the product key against the hardware itself, after the conversion process, the validation program will not find any OEM hardware thus rejecting all keys, even the standard ones. This is true for desktops, laptops and servers.

If you don't know what OEM is, it's similar to buying a Lenovo laptop with Windows preinstalled on it. In this case, all the hardware was provided by one manufacturer and the operating system (OS) will validate against the OEM hardware only.

The only solution is to obtain a Volume Licensing media of the same OS and a product key for it, then perform an OS repair (not using the recovery console).

Simply put, you boot up from the media, proceed as if you want to install, then select the partition that has been detected to have an existing OS and select Repair rather than a fresh installation.

All your settings and configurations will be preserved for your programs. You may need to reinstall certain hot fixes or a service pack.

Note: If setup cannot see the SCSI hard disk (in case of Windows XP), see this KB.

References:

Sunday, January 30, 2011

Converting Windows 2000 with VMware Converter

Converting a Windows 2000 machine has a bunch of caveats and problems when going from physical to virtual (p2v), using VMware vCenter Converter Standalone.

Requirements:
  • VMware Standalone Converter version 4.0.1 (See Additional Info at the end)
  • Update Rollup 1 for Windows 2000 SP4 (KB891861)
  • Windows 2000 Sysprep tools (Q257813)
  • A Windows or Linux LiveCD. I recommend Knoppix (6.4+ - Linux) or Hiren (Windows).
    If you need to modify registry keys, use Hiren.

Procedure:
  1. Install VMware Standalone Converter version 4.0.1
  2. Extract sysprep tools and place them in C:\Documents and Settings\All Users\Application Data\VMware\VMware vCenter Converter Standalone\sysprep\2k
    That should be on the same machine that has VMware Converter, not the Windows 2000 server.
    * On Windows 2008, the location is C:\Users\All Users\VMware\VMware vCenter Converter Standalone\sysprep\2k (Thanks Anonymous for the tip!)
    or C:\ProgramData\VMware\VMware vCenter Converter Standalone\sysprep\2k (thanks Ben!)
  3. Either apply the update rollup to the server or extract the update rollup and replace it with the file SCSIPORT.SYS in C:\WINNT\system32\drivers. Applying the update is recommended if the system is stable.
  4. If you’re using a static IP on the Windows 2000 server, see this Knowledge Base article.
  5. Run the Converter and deploy the agent. If you’re asked to restart, restart then start the VMware Converter service manually before running the Converter again, otherwise it’ll ask you to deploy the agent again.
  6. In Step 3: View / Edit Options, Click on the Devices pane and change the disk controller to BusLogic SCSI.
  7. Keep the number of processors as is, because if you change it, Windows 2000 won’t auto-detect new CPUs and you’ll need to update the Hardware Abstraction Layer (HAL) on it manually. See KB234558 and KB249694 for more details.
  8. In the Networks pane, deselect the option to connect at power on.
  9. In the Advanced Options pane, do not select the options to power off the source and select the option to power on the target (VM). Do install VMware tools.
    Do NOT select "configure guest preferences for the virtual machine"
With that, you should be set to convert that machine. After the conversion is complete, the VM will start, install VMware tools, then restart. After it comes up you should apply the proper network settings then shutdown and enable the NIC to connect at power on.

Problems and Solutions:
  • "disk read error" when starting the virtual machine.
    This happens because you have selected the Disk Controller as “Preserve Source” or “IDE” -- you must select “SCSI” -- after doing so, you’ll need to reconvert the machine.
  • “KMODE_EXCEPTION_NOT_HANDLED” Blue Screen of Death (BSOD) during boot up.
    This happens because Windows 2000 is using the old SCSI driver (SCSIPORT.SYS).
    You must boot into a LiveCD and replace the file in the location mentioned above.
    This happened to me even after I copied the SCSIPORT.SYS to the target machine before converting.
  • After installing the Converter agent, you face problems & restart the Windows 2000 server, then when running converter again, it asks you to re-deploy the agent.
    This happens because when the Windows 2000 system comes up again, the Converter agent service isn’t started again.
    Open the services console (services.msc in run) and right-click VMware Converter then choose Start. After the service is started, run VMware Converter and it should connect.
  • Unable to communicate to the agent.
    The network traffic is probably blocked by firewalls that are on the Converter machine, the Windows 2000 target machine or in between. Make sure the firewalls are disabled or port 9089 is allowed to pass through.
  • "Inaccessible boot device" Blue Screen of Death (BSOD) during boot up.
    This happens due to some misconfiguration of drivers in the registry.
    To fix this, run the Converter program again and do a machine reconfiguration only (don't reconvert). Let it install VMware Tools, select "Reconfigure destination virtual machine" and do NOT select "Configure guest preferences for the virtual machine"
    If that does not solve your problem, read this thread.

Using The Linux LiveCD:
If you’re new to Linux, then here are some steps to help you replace files on virtual machines.

  1. Boot the virtual machine from the LiveCD, by either attaching the ISO file from the data store, your machine, or burning the ISO to a CD (as an image!) and booting it from your CD drive.
  2. At the boot prompt of Knoppix, just press enter to boot into the graphical interface.
  3. Now we need to attach the VM’s disk to the Linux system: open a root shell / terminal.
  4. Type: fdisk -l
    This will list all disks in your VM. Identify your operating system hard disk (by capacity if possible). If it’s not possible, then proceed with the next steps until you find your desired partition by looking at its contents.
    You will see things like: /dev/sda, /dev/sda1, /dev/sda2, ...etc. sda is your first hard disk. sdb is your second hard disk. sda1 is the first partition in your first hard disk.
  5. Type: mkdir /mnt/os
  6. If your operating system (OS) is installed on the first hard disk, first partition, then type: mount /dev/sda1 /mnt/os
  7. You can now open a file manager in the graphical interface and go to this directory: /mnt/os -- you’ll see the contents of that partition.
    If that is not your desired partition, skip to step 10 then try mounting another partition.

    Note: Make sure you mount a partition & not a disk!
    mount /dev/sda1 is correct. mount /dev/sda is not.
  8. To copy a file over the network from a Windows share on another machine, open a file manager and in the address tab type: smb://ip
    Example: smb://192.168.0.1, where the IP is of the machine you want to access over the network to copy a file from.
  9. Right click & copy the file, then go to /mnt/os and paste it there.
  10. You’re almost done. Now you just need to unmount the partition, so close the file manager window that opens /mnt/os and then in the root shell type: umount /mnt/os
  11. Reboot the VM and unattach the CD / ISO.

Additional Info:
  • Knoppix is like any *nix system: case-sensitive when it comes to file names. So you may have to delete to the original file manually then copy the new .SYS file due to the difference in letter case.
  • The sysprep tools will be used by the VMware Converter to prepare a new copy of Windows. It’s required for the cloning process.
  • Support for Windows 2000 has been dropped in VMware Converter version 4.3.
  • VMware Converter Standalone is free. VMware requires that you register to be able to download, but their servers are slow (at least in my experience). I got my copy from 4shared, so just search for it & verify the md5 checksum.
    Windows: VMware-converter-4.0.1-161434.exe - 35f22a3b40b114d70cdbda2d5056c10f
    Linux: VMware-converter-4.0.1-161434.tar.gz - 90ce68a9f75af91aed9119d419a98b3c
  • LiveCD Selection: You can choose anything that works for you as long as it has SCSI disk drivers, otherwise you won’t be able to see the VM’s disks (which is why getting Damn Small Linux was a waste of time...) and can read & write to the NTFS filesystem.

New Google Docs Shows No Love For Blogs

I haven't used Google Docs to publish posts in a while and I found out today that the new version of Google Docs does not support publishing to blogs. I found out after I had finished writing my post.

I didn't find a way to revert back, as the option to use the old version has been removed. Also, Blogger has no option to import a post from an ODF or Word.
My options are limited to one: Pasting the text into the composer then manually removing any coloring of the text, since it hard-codes the colors which contradict with my theme.

I'll blame myself for trusting Google in maintaining a usable solution after deploying it to the masses. I'll stick to writing in Blogger's direct composer from now on.