drink the sweet feeling of the colour zero

NFS Client in Windows 7 Pro

Tags: , , ,

I realise this is a little late to the game, but I find Microsoft’s attitude towards end users offensive.  Take for example the statement “NFS Client isn’t something we usually support here” because the “Microsoft Answers website since Answers is directed towards consumers” is offensive.  Consumers are increasingly operating in heterogeneous environments thanks in no small part to Microsoft’s steadfast insistence on not actually listening to its customer base.  For better or worse, Mac desktops and notebooks are seeing a dramatic rise, especially within the North America.  Microsoft knows this.

This has a direct effect on the topic at hand in that consumer level devices are now increasingly being shipped not only supporting NFS, but with NFS as the default protocol.  NFS (and similar heterogeneous cohabitation technologies) quite simply are consumer-level technologies today.  Attempting to proclaim it otherwise because it doesn’t meet with the party line on the topic does nothing but further alienate the customer base.

Not that the arbitrary stratification of versioning that leaves those of us with “Windows 7 Professional” operating systems out in the cold hasn’t done that already.

That rant over and done with, let’s get around to actually helping people here!  Some NFS client information of relevance to real people, in the real world:

1) A Google Code project that brings NFS v2/3 support to Windows/ NFS 4.1 support is under active development, but not yet supported: nekodrive.  Quite frankly, this isn’t quite ready for prime time, unless you are willing to be a little nerdy about it.  It is okay for one-off work, but doesn’t operate nearly as seamlessly as a proper client.

2) The University of Michigan NFS v 4.1 client. This is the exact same client for NFS 4.1 that Microsoft included in Windows 8.  (Indeed, Microsoft funded its development.)  It is located here.  However, it does take a little bit of knowledge to install.  I have found it easily scriptable for installs on a mass scale, and certainly not a problem for installs on my home machine.

The project maintains a code regular code drop, and the binaries can be accessed here.  Alongside the install instructions above, any novice computing enthusiast who has actually typed “start, run, CMD” before will be perfectly able to get a top notch NFS 4.1 client up and running on Windows 7 Professional.

I can’t recommend the this 4.1 client enough.  If you have NAS devices supporting NFS 4 (for example, a Synology with the latest DSM), this client is great a bridging the gap between Windows and Mac.

3) There was a company called Labtam that once made a relevant product.  The website is still up, however all indications are that they ceased to exist towards he end of 2009.  It may be worth further investigation to see if they have sold the tech on to someone, as the internets claims it was reasonably reliable for NFS v3.  At $40, it’s significantly cheaper than an “anytime upgrade,” and has the additional bonus of neither condoning nor encouraging Microsoft’s arbitrary product segregation.

Will Windows 8 – presuming you can stomach Metro – be more of the same?  Or will the reduced edition count lead to an unprecedented breakout of sanity?  Somehow, I doubt it.

Basic Linux Bandwidth Shaping

Tags: , , , ,

This post is largely for my own personal reference.

Bandwidth shaping has traditionally been very difficult.  To truly understand it you must know a fair amount about networking.  The tools are somewhat arcane.  Fortunately, some folks have given us all a leg up by greatly simplifying the process.  It is still far from “easy peasy,” but it is also no longer the black art it once was.

I have recently had cause to configure bandwidth shaping on my edge Linux routers.  For this task I have made use of the Hierarchy Token Bucket (HTB) queuing that is part and parcel of modern Linux kernels.  I set up the HTB init script on my edge Linux routers, and need to document exactly how I installed the whole thing.  This includes the HTB Webmin module, which I use as a visual reference to tell me if I have configured the HTB text files properly.

This setup involves the following:
– HTB Init Script http://sourceforge.net/projects/htbinit/
– HTB Webmin Module http://sehier.fr/webmin-htb/
– Webmin http://www.webmin.com/
– CentOS 5.5 http://centos.org/

This setup presumes the following:

– You have setup and configured a CentOS 5.5 system
– You have configured the networking on this system to serve as a network router
– You have installed Webmin
– You have properly configured the firewall to allow access to Webmin (default port: 10000)
– You have a basic working knowledge of Linux commands (wget, chmod, chown and similar.)
– You have a basic working knowledge of Webmin (how to add modules and navigate the GUI.)

Step 1:  Install the htb.init script.

Wget my modified HTB Init script (http://www.trevorpott.com/downloads/htb/htb.init) into /etc/init.d.  Chmod it 0755 and chown root:root.  This is necessary to use my modified version because of an incompatibility in the original script’s use of the “find” command.  (-maxdepth was improperly positioned and blew up under CentOS 5.5)

The original unmodified script is available on sourceforge here.

Step 2:  Install the Webmin HTB module.

Webmin –> Webmin Configuration –> Webmin Modules
Select “third party module from” and enter http://sehier.fr/webmin-htb/webmin-htb.tar.gz
(Note: also cached here: http://www.trevorpott.com/downloads/htb/webmin-htb.tar.gz)
Select “Install Module”.

This will properly create the Webmin module directory under /etc/webmin, as well as register the module with Webmin itself.  Sadly, as this is not a .wbm, there are some bugs.

Wget the .tar.gz into /etc/webmin/ and tun “tar -zxvf” against it.  This will unpack the files into the /etc/webmin/htb directory with all the proper permissions.  You can now delete the webmin.htb.tar.gz file.

Step 3:  Setting up the config files.

Create the directory /etc/sysconfig/htb.  The directory should be chmoded to 0755 and chowned root:root.  This directory houses the files that the htb.init script will use to configure htb on your system.  A sample configuration is provided here: http://www.trevorpott.com/downloads/htb/archive.tgz

An explanation of how these files work is provided below.

Step 4: Install the DAG::Tree PERL library.

Enter the following (without the quotes) into the command line: “cpan -i Tree::DAG_Node”.  When it asks if you would like to build manually, enter “no.”

Step 5: Check the configuration.

To check your config using Webmin do the following:
Webmin –> Networking –> Hierarchy Token Bucket queuing.  This module will allow you to configure HTB as well as provides alerts if there are misconfigurations.

To check the configuration using the command line do the following:
/etc/init.d/htb.init compile

Step 6:  Start the service.

If you are satisfied with the configuration, then in Webmin do the following:
System –> Bootup and Shutdown
Select “htb.init” and click “start now and on boot.”

How the config files work:

The configuration for the HTB init script is picked up both from the naming of the config files and thier content.  To really understand how HTB works you should read the user manual.  The significantly dumbed down version is as follows:

HTB provides a method to provide bandwidth shaping using your Linux box.  You set up a “root” class that contains the total bandwidth you wish to allocate for one group of IP addresses or ports.  You then create classes which are subordinate to this root class.  Each of these classes can be (and indeed should be) guaranteed a minimum amount of bandwidth.  All classes subordinate to the root can also be configured with a ceiling.  The ceiling parameter is the maximum bandwidth that class can consume.

Should the root class have extra unconsumed bandwidth available, (because one of the other subordinate classes is not consuming it’s full allotment,) then any subordinate classes requiring bandwidth above any beyond their minimum guaranteed amount will be able to “borrow” bandwidth from another class subordinate to the same root.

Subordinate classes can for example be an IP address, a subnet or a specific class of traffic such as “all traffic to port 80.”

A working real world example (as per the provided archive.tgz) is thus:

I have a small Linux box configured with two network interfaces: eth0 and eth1. My provider offers me a 100Mbit pipe, however they charge me based on throughput usage rather than total bandwidth consumption. Thanks to this, I wish to limit my total possible throughput consumption to 15Mbit symmetrical.

For the purposes of this demo file, I have changed all the IP addresses involved to be on the 10.0.0.128 /27 subnet. In the real world the subnet in use has externally addressable addresses as I am using this system to shape throughput to a subnet provided me by my ISP.

eth0 is the interface going out to my ISP.
eth1 is the interface on which my ISP-delegated subnet can be found.

By shaping traffic on the eth0 interface I can control the speed of traffic flowing from my provisioned subnet to my ISP. (Upstream traffic.)

By Shaping traffic on the eth1 interface I can control the speed of traffic flowing from my ISP to my provisioned subnet. (Downstream traffic.)

The file eth0 contains one line: default=91. This tells HTB that the default class for all unclassified traffic on eth0 will be 91. The file I have setup to define this is eth0-2:91.default_up

The file eth0-2.root_up defines the root class for eth0. The root class is the number 2. The HTB init script infers this from the filename. Everything before the dash (eth0) is the interface. Everything after the dash but before the period (2) is the class. Everything after the period (root_up) is the “friendly name” of the class.

Looking at the default file we see that is has a colon. As with the root class, everything before the dash (eth0) is the interface. Everything after the dash but before the period (2) is the class. Since this class has a colon (2:91), the script will parse this as being “class 91, subordinate to class 2.” Everything after the period (default_up) is the “friendly name” of the class.

You will notice also several files with “friendly names” consisting of three numbers. These “friendly names” are simply the last octet of the IP address that rule is defining bandwidth shaping for.

The logical hierarchy defined by the filenames and their contents is as follows:

-eth0: all unclassified traffic will use class 91
–class 2 (root_up): Maximum throughput of 15Mbit.
—class 11 (137): Guaranteed 1Mbit, Ceiling of 15Mbit, SRC 10.0.0.137
—class 21 (157): Guaranteed 5Mbit, Ceiling of 15Mbit, SRC 10.0.0.157
—class 31 (133): Guaranteed 1300Kbit, Ceiling of 15Mbit, SRC 10.0.0.133
—class 41 (132): Guaranteed 600Kbit, Ceiling of 15Mbit, SRC 10.0.0.132
—class 51 (158): Guaranteed 600Kbit, Ceiling of 15Mbit, SRC 10.0.0.158
—class 61 (144): Guaranteed 4Mbit, Ceiling of 15Mbit, SRC 10.0.0.144
—class 71 (136): Guaranteed 500Kbit, Ceiling of 15Mbit, SRC 10.0.0.136
—class 91 (default_up): Guaranteed 2Mbit, Ceiling of 15Mbit, Burst 15k

-eth1: all unclassified traffic will use class 91
–class 2 (root): Maximum throughput of 15Mbit. Burst in 15k increments.
—class 10 (137): Guaranteed 4Mbit, Ceiling of 15Mbit, DEST 10.0.0.137
—class 20 (157): Guaranteed 5Mbit, Ceiling of 15Mbit, DEST 10.0.0.157
—class 30 (133): Guaranteed 1300Kbit, Ceiling of 15Mbit, DEST 10.0.0.133
—class 40 (132): Guaranteed 600Kbit, Ceiling of 15Mbit, DEST 10.0.0.132
—class 50 (158): Guaranteed 600Kbit, Ceiling of 15Mbit, DEST 10.0.0.158
—class 60 (144): Guaranteed 1Mbit, Ceiling of 15Mbit, DEST 10.0.0.144
—class 70 (136): Guaranteed 500Kbit, Ceiling of 15Mbit, DEST 10.0.0.136
—class 90 (default): Guaranteed 2Mbit, Ceiling of 15Mbit

An example based on this configuration is that of an FTP server located at 10.0.0.137. It has a guaranteed 1Mbit up and 4Mbit down. (It is mostly used for other people to send files up to us.) It can however receive or send information at up to 15Mbit, should none of the other systems on the subnet be consuming their allotments.

Notes:
The rate limits for each network card are set at 15Mbit total. That rate limit will affect both upstream and downstream traffic on each NIC. While I am only defining upstream caps on my eth0 NIC and downstream caps on my eth1 NIC, this configuration effectively limits my system to 15Mbit half duplex. This is by design. I want to be able to send at 15Mbit upstream or receive information at 15Mbit upstream, but I also do not want my combined upstream and downstream to surpass 15Mbit. It is a quirk of how I am billed (95th percentile of half-duplex consumed throughput.)

Additionally, of a possible usable 29 IP addresses in this subnet, only 7 are explicitly defined in the bandwidth shaping rules above. Any servers located on other IPs within the subnet would fall under the “default” rule. This allows me to do three important things:

1) Guarantee traffic to specific computers within my subnet.
2) Cap the total bandwidth consumed by all computers to 15Mbit.
3) Force all systems not explicitly defined to obtain throughput by contention.

There you have it:  a dumbed down overview of a very basic HTB shaping setup using the HTB.init script

El Reg Blog Articles: “DNS, Malware and You”

Tags: , , ,

This group of articles is all about DNS and Malware.  (Thoguh SPAM hangs off of it too.)  Interesting for server admins.

Blackhole your malware
Malware protection for the rest of us
It’s time to presume the web is guilty

El Reg Blog Articles: “Browser Security”

Tags: , ,

While No longer writing articles in fixed sets of three, I do still tend to write clumps of articles with a common theme.  It’s usually because I write articles based upon what I am working on at the time.  This set of articles is based on browser security.  Frankly, I think they are critical for everyone to read.  Practice good Internet hygiene!

Ditch the malware magnet
Private lessons
Nothing suceeds like XSS

RDP and barcode scanners

Tags: ,

On some machines, you may find that devices (such as barcode scanners) that fire keyboard inputs in rapid succession to an RDP session are corrupted.  This occurs particularly when trying to use these devices in combination with a JavaScript or CSS-heavy webpage in certain browsers.

The workaround for now is to change the RDP settings on the connecting computer.  In your RDP client do the following:

Select “Options”
Go to “Local Resources”
Under “Keyboard” set “Apply windows key combinations” to “On this computer.”

A little bit about Facebook security

Tags: , , ,

Facebook has granular privacy settings.   I strongly encourage anyone who is using it to do the following:

1) Create “lists,” (such as “Actual Friends,” “Family,” “Acquaintances,” etc. Placing people into groups allows you to granularly control the flow of information.

2) Explore Facebook’s privacy settings, and carefully review who can see what. (It’s all fine and good to post things on Facebook, but if you add family to your “friends” list, your mum might have something to say about last night’s bender at the strip club.)

3) Be aware by default Facebook shares all your info with the whole world. Don’t give Facebook any more information than you feel will help your friends get hold of you in real life. Just because it asks you to fill out a box of information doesn’t mean you have to. The more Facebook knows about you, the more the whole world eventually will. (It might be a bad idea if your employer can run a Google search and discover that your “sick day” was actually you going fishing.)

4) Remember to check the settings for Facebook advertisements; did you know that be default Facebook shares all your information with advertisers? This means that despite putting people into “lists” and then carefully reviewing which lists of people are allowed to see what information, these advertisers then can (and sometimes do) reveal your information to everyone. Be very sure to disable Facebook’s ability to share your personal information with advertisers.

5) Please bear in mind that identity theft is a real issue. People can and do fall victim to it, and the more that fraudsters can learn about you, the easier it is for them to scam you. An ounce of prevention is worth a pound of cure.

Please take the time to look at this website:

http://www.sophos.com/security/best-practice/facebook/ . It provides an excellent overview of Facebook security concerns.

Redhat-based thin client tips

Tags: , ,

All of the below tips are for Redhat-based systems.  They are really minor, easily searchable items that I have found useful to remember.  I have found them of value when configuring Redhat/Fedora systems as thin clients.   We use Fedora 10 and CentOS 5, usually to turn old hardware into something that will RDP to a Windows virtual machine.  The people using them don’t want to know how it works, just that when they double click on the icon, they get a windows desktop.  The tips here make such a configuration easier to administer.

System won’t show it’s hostname in a Windows-powered DHCP:

Edit /etc/sysconfig/network-scripts/ifcfg-eth0  (Or eth1, eth2, etc.)
Add the line DHCP_HOSTNAME = [system_hotname]  (Without the brackets.)

Have gnome auto-logon a non-root user:

Edit /etc/gdm/custom.conf
Add the following lines:

[daemon]
TimedLoginEnable = true
TimedLogin = [username]  (Without the brackets.)
TimedLoginDelay = 0  (Salt to taste.)

Exclude a package from yum updates:

In this example, I exclude tsclient, because I prefer the version 1 client to version 2.
(This is because version 2 forces you to store an RDP password, which is terrible for our thin-client purposes.)

Edit /etc/yum.conf
Add the line exclude = tsclient

Note: You can search older RPMs on http://rpm.pbone.net/

Set up vino in gnome so that you can remote administer a system.
(This is a good configuration for auto-logged-on thin clients.)

yum install vnc vnc-server libvncserver vino

Go to System > Preferences > Internet & Network > Remote Desktop
General
– Allow others to view  (This enables vino.)
– Allow others to control  (So that you can manipulate the system.)
– Do not ask for confirmation  (Entirely up to you.)
– Require enter password  (Enter a password.)

© 2009 drink the sweet feeling of the colour zero. All Rights Reserved.

This blog is powered by the Wordpress platform and beach rentals.