November, 2008

Photo editing comes to cloud computing with Picnik

Picnik is a photo editing application that is provided over the internet through your browser. In other words it is an application that is in the cloud.

It is a cross platform application that works with Linux, Windows and Mac. For Linux there are two addons available. The first is through firefox and gives you the ability to right click on a photo to bring up the context menu. Simply choose edit with picnik and the application opens the picnik editor with the photo ready to edit. You can also choose to take a screen shot of the visible page or the full page for editing in picnik. The second is a button that attaches to your bookmarks toolbar.

Here is a single photo and a partial page photo from Yahoo that I sent directly to picnik using the right click context menu from the firefox addon.

Now that I have my photos or screen shots in picnik I can crop them, apply special effects, get rid of red eye and just about anything else you would expect from a standard photo editor. The best part of this is that picnik remembers the last five photos that I edited so that I can edit them further from anyplace that I have an internet connection.

With picnik I can save photos to my computer or connect to many social networking sites including Flickr, Facebook, MySpace, PhotoBucket and more and place my photos there. I can email my photo to a site that accepts photos by email or to any person to whom I want to send it.

All of that is with the free version. Picnik also has a commercial service for $24.95 per year that allows you to batch upload 100 photos, unlimited photo history and unlimited connections to social networking and photo sites. You also get some proprietary fonts, no ads, priority support and fullscreen support.

After trying it for about 30 minutes I was very impressed with what the free capabilities can do which is more than enough for someone who only edits a photo every now and then. It was extremely easy to use and work with. If photo editing is something that you do on a continual basis you should look into the premium service that has a lot of extra content and some editing tools not available in the free version.

I hope that you enjoy using this “Cloud Computing” application to edit your photos.

-j

SELinux and what I’ve learned in the last two days..

I am bringing up a new Virtual Host with VMs of MySQL, music-repo and a webserver. All of these are on CentOS with SELinux enabled. No, I’m not a glutton for punishments using SELinux for all of these machines that are interconnected to each other. I believe the time is coming when organizations are going to insist on the type of security that SELinux provides.

Moving on I mentioned that my MySQL server is on one box and my web server on another. One of the applications that I use is KPlaylist. This is a streaming server for mp3s, movies or just about anything you want to stream. My first snag was getting it to log into MySQL and create the database.

After about an hour of looking for normal causes I decided to turn on setroubleshoot. This is a great tool when looking for SELinux problems. After I turned it on I found this in /var/log/messages:

Nov 20 15:40:47 web setroubleshoot: SELinux is preventing the http daemon from connecting to network port 3306 For complete SELinux messages. run sealert -l 65919ff0-ddd1-4a4b-801d-f54023da86ac

So then I ran the sealert command shown in the message:

sealert -l 65919ff0-ddd1-4a4b-801d-f54023da86ac

This gave me the following along with some other information:

setsebool -P httpd_can_network_connect=1


Voila! My problem was fixed. Well almost. I then discovered that iptables was blocking the port. After opening the port using the gui “system-config-securitylevel” all was well. KPLaylist installed it’s database just like it was supposed to.

My next hurdle was getting the nfs share on the music-repo server to mount on to the web server. Checking for another sealert I found one on the webserver called

Nov 20 23:57:33 web setroubleshoot: SELinux prevented the http daemon from reading files stored on a NFS filesytem. For complete SELinux messages. run sealert -l f76bd0be-d375-436f-9c09-2086da0d7a39

After running this I got the following information:

setsebool -P httpd_use_nfs=1


Well this didn’t totally solve my problem but I did notice that things were getting fixed with the setsebool command. I went looking around the net to see what I could learn about it.

What I learned is that if you are having a problem with a service is that you should run the command getsebool -a |grep someservice. I decided to try that with NFS and this is what I got:

[root@music-repo ~]# getsebool -a |grep nfs
allow_ftpd_use_nfs –> off
allow_nfsd_anon_write –> off
nfs_export_all_ro –> on
nfs_export_all_rw –> on
nfsd_disable_trans –> off
samba_share_nfs –> off
use_nfs_home_dirs –> off
[root@music-repo ~]#

The last line was what I found interesting. I had originally had my music directory on the music-repo machine at the root of the system. My thought was OK let’s create a user with a home directory and enable that boolean. I created a user on the musiic-repo system called apache and moved the /music directory into /home/apache. I then ran the command:

setsebool -P use_nfs_home_dirs=on


I also moved my music directory that I was mounting to under /var/www which is apache’s home and ran the same command. Now everything was connected and working like it is supposed to be.

A note of interest to those of you who would prefer a gui..you should install policycoreutils-gui. This will give you a nice gui called system-config-selinux. In this gui you can browse through everthing SELinux has to say and can change.

Now to get that setup as a share for the Windows users so that they can store their music and get it backed up.

-j

Take a break, read some Thanksgiving humor

Having had a tough couple of weeks at work I came home tonight thinking “I need something funny in my so called life”. At work it seems to be on thing after another and not much better at home. In short I’m tired as many people who work in IT can become.

After thinking about it for awhile the thought crossed my mind “hey it’s almost Thanksgiving..there’s got to be something funny out there about that”. So I went searching. I found many funny things about the Thanksgiving holiday. I kept coming back to this one though. I don’t know why-maybe because it sounds a little like my family life. Anyway here it is and I hope that you enjoy it as much as I did..

Dining Without Martha Stewart

Martha Stewart will not be dining with us this Thanksgiving. I’m telling you in advance, so don’t act surprised. Since Ms. Stewart won’t be coming, I’ve made a few small changes:

1. Our sidewalk will not be lined with homemade, paper bag luminaries. After a trial run, it was decided that no matter how cleverly done, rows of flaming lunch sacks do not have the desired welcoming effect.

2. Once inside, our guests will note that the entry hall is not decorated with the swags of Indian corn and fall foliage I had planned to make. Instead, I’ve gotten the kids involved in the decorating by having them track in colorful autumn leaves from the front yard. The mud was their idea.

3. The dining table will not be covered with expensive linens, fancy china, or crystal goblets. If possible, we will use dishes that match and everyone will get a fork. Since this IS Thanksgiving, we will refrain from using the plastic Peter Rabbit plate and the Santa napkins from last Christmas.

4. Our centerpiece will not be the tower of fresh fruit and flowers that I promised. Instead we will be displaying a hedgehog-like decoration hand-crafted from the finest construction paper. The artist assures me it is a turkey.

5. We will be dining fashionably late. The children will entertain you while you wait. I’m sure they will be happy to share every choice comment I have made regarding Thanksgiving, pilgrims and the turkey hotline. Please remember that most of these comments were made at 5:00 a.m. upon discovering that the turkey was still hard enough to cut diamonds. As accompaniment to the children’s recital, I will play a recording of tribal drumming. If the children should mention that I don’t own a recording of tribal drumming, or that tribal drumming sounds suspiciously like a frozen turkey in a clothes dryer, ignore them. They are lying.

6. We toyed with the idea of ringing a dainty silver bell to announce the start of our feast. In the end, we chose to keep our traditional method. We’ve also decided against a formal seating arrangement. When the smoke alarm sounds, please gather around the table and sit where you like. In the spirit of harmony, we will ask the children to sit at a separate table … in a separate room … next door.

7. Now, I know you have all seen pictures of one person carving a turkey in front of a crowd of appreciative onlookers. This will not be happening at our dinner. For safety reasons, the turkey will be carved in a private ceremony. I stress “private” meaning: Do not, under any circumstances, enter the kitchen to laugh at me. Do not send small, unsuspecting children to check on my progress. I have an electric knife. The turkey is unarmed. It stands to reason that I will eventually win. When I do, we will eat.

8. I would like to take this opportunity to remind my young diners that “passing the rolls” is not a football play. Nor is it a request to bean your sister in the head with warm tasty bread.

9. Oh, and one reminder for the adults: For the duration of the meal, and especially while in the presence of young diners, we will refer to the giblet gravy by its lesser-known name: Cheese Sauce. If a young diner questions you regarding the origins or type of Cheese Sauce, plead ignorance. Cheese Sauce stains.

10. Before I forget, there is one last change. Instead of offering a choice among 12 different scrumptious desserts, we will be serving the traditional pumpkin pie, garnished with whipped cream and small fingerprints. You will still have a choice; take it or leave it.

Found at this website.
-j

Setting up your firewall on domU with iptables

As discussed in an earlier post you must first hide your NIC from dom0 to set up your iptables firewall on your domU. After you have successfully hidden the NIC from dom0 then we can proceed to our domU firewall setup.

You must first decide which domU that you are going to use for a firewall. Personally I prefer my firewall domU to have nothing on it but iptables. I can then use POSTROUTING and PREROUTING to nat my outbound packets and redirect the new inbound packets to their correct destinations. After you have your domU built and working properly you need to make the following entry into the configuration file:

name = “fw0″
uuid = “203e2874-a08b-4065-7155-cdad1b5b7341″
maxmem = 256
memory = 256
vcpus = 1
bootloader = “/usr/bin/pygrub”
on_poweroff = “destroy”
on_reboot = “restart”
on_crash = “restart”
vfb = [ "type=vnc,vncunused=1,keymap=en-us" ]
disk = [ "phy:/dev/linux-virtuals/secure,xvda,w" ]
vif = [ "mac=00:16:3e:36:73:82,bridge=xenbr0" ]
pci = [ '01:02.0' ] =====Should be the same as obtained from your lspci command


Now start your domU. You should see a second interface, eth1, show up when you use ifconfig. There is no need to build an ifcfg-eth1 file for this as the operating system will take care of it for you. This is the interface that is connected to your DSL\Cable connection to the internet. Make sure that you have a cable plugged into the physical interface that [ '01:02.0' ] represents and the other end into your Cable or DSL modem. You should see that it gets a publicly routed interface like this:

[root@fw0 ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:16:3E:36:73:82
inet addr:172.16.0.254 Bcast:172.16.255.255 Mask:255.255.0.0
inet6 addr: fe80::216:3eff:fe36:7382/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:37856 errors:0 dropped:0 overruns:0 frame:0
TX packets:27763 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:7935825 (7.5 MiB) TX bytes:11696196 (11.1 MiB)

[root@fw0 ~]#


The x’s are place in the last two octets for security reasons. However you can see by the first two octets that this is a publicly routable interface that got it’s address from my ISP provider.

Now to get your machines on your LAN out to the internet two things must happen. Their default gateway must be set to the ip address of eth0 on your domU. In my case this is 172.16.0.254. This is quite simple if you are using DHCP. Just make an entry like this into the dhcpd.conf file:

subnet 172.16.0.0 netmask 255.255.0.0 {
range 172.16.0.111 172.16.0.150;
option routers 172.16.0.254;=====set this option for your default gateway
option broadcast-address 172.16.255.255;
default-lease-time 259200;
max-lease-time 604800;
option domain-name-servers 172.16.0.205, xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx;
}


If you’re not using DHCP then you can make an entry either into /etc/sysconfig/network or /etc/sysconfig/network-scripts/ifcfg-eth* where the * is replaced by whatever your interface number is:

GATEWAY=172.16.0.254


Once that is done now we need to set up our masquerade so that our outbound packets are nat’d and we can browse the internet. On the firewall machine issue the following commands:

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
service iptables save
service iptables restart


There you have it. Your domU is now connected to the internet, firewalling your network and allowing your internal machines on your LAN to browse the internet. This setup was done on CentOS 5.2 with the native virtualization that is built in.

-j

Set your hardware and system clocks with the date and hwclock commands

Today we’re looking at the date and hwclock commands to set your system and hardware clocks.

Have you ever put a server into production only to realize that you had not set the hardware clock to UTC or any other time? When you’ve already put the machine into production it’s pretty difficult to go to your manager and tell him that you need to shut the machine down to set the hardware clock. Using the date and hwclock commands will allow you to set both clocks with shutting down you machine.

Computer systems, administrators and users all rely on the correct date and time to function properly or make their jobs go smoother. The system uses cron to execute programs at a certain time. As an administrator you need the correct time when checking logs and looking for problems. If the system clock is off see how long it takes your users to start calling about incorrect dates and times on their documents. In short things are not going to go smoothly if the date and time is wrong on the system.

The most likely scenario is that your system clock is off because it is relying on your hardware clock for the correct time. Here is how we correct this. First you need to set the correct time for the system with the date command. Type the date command to see the date and time format of the string:

[root@virtual-host ~]# date
Sun Nov 16 16:51:53 EST 2008
[root@virtual-host ~]#

We want to use this exact type of string to set our system clock:

date –set=Sat Nov 15 18:49:00 EST 2008

Ok now we are going to set our hardware clock to this date:

hwclock –systohc –utc

That’s it. Now your hardware clock is set and your system clock can now keep the correct time by referring to it. You can also set your system clock from your hardware clock with the following command:

hwclock –hctosys


Both of these can be particularly important if you are trying to set up the ntp daemon to an internet time source and your system clock is off by more than a 1000 seconds. The ntp daemon will not work under these conditions so you must correct them.

Hope this helps you keep your systems on time!

-j

Application Whitelisting for Window..or is it SELinux

I recently read an article in eWeek that talked extensively about Application Whitelisting. The more of the article that I read this seems to be nothing more than SELinux on Windows.

The Windows people are looking to lock down their machines because of the horrendous numbers of viruses, trojans and other malware that attacks them. Apparently user education, anti-virus and anti-whatever just is not getting the job done.

Windows machines in the past have used the traditional methods for fighting malware. Anti-virus tracks and quarantines certain bits that are known malware problems. This is known as blacklisting. Whitelisting is the process by where certain executables are approved to run on a certain machine.

Now let’s have a look at SELinux which was first implemented by Red Hat several years ago. While Linux in general does not have a problem with malware an unprotected machine could get hacked and unwanted applications installed. Red Hat wanted a way to stop this type of intrusion. Let’s look a little deeper how this came into play.

SELinux was originally a development project from the National Security Agency (NSA )[19] and others. It is an implementation of the Flask operating system security architecture.[20]The NSA integrated SELinux into the Linux kernel using the Linux Security Modules (LSM ) framework. SELinux motivated the creation of LSM, at the suggestion of Linus Torvalds, who wanted a modular approach to security instead of just accepting SELinux into the kernel.

You can see the rest of the article here

So here we have a security application mostly developed by the NSA.

Much of the work to get the kernel ready for upstream, as well as subsequent SELinux development, has been a joint effort between the NSA, Red Hat, and the community of SELinux developers.

Now let’s look at how SELinux runs under Red Hat and any other *nix that uses it. Red Hat uses what is called a target policy for SELinux. SELinux creates what are known as domains. Each daemon has it’s own domain. Every daemon on the system runs under the unconfined_t domain except for those that have targeted specific domains. Daemons that run under the unconfined_t domain fall back to using standard Linux security. As an example the http and ntp daemons run under the targeted policy by default and are therefore protected. If you haven’t experienced what happens under this protection, if one of the binaries or configuration files get put into the wrong context the daemon will not start.

This should be starting to sound familiar to the definition of Application Whitelisting above. It will be interesting to see if the Windows shops buy into this method of protection. I also expect some announcement from Microsoft or some other big firm how they have developed this new concept and are providing it as a tool to protect Window applications. I wonder how much the licensing fee and yearly maintenance will be on that…

-j

Which procesors support hardware assisted virtualization?

Today as I was looking for a new workstation it occurred to me that I didn’t know which of them had the HVM or hardware assisted technology that I require. As an administrator I like to have this technology on my workstation so that I can test various builds, updates and so on before putting them into production. Since I run CentOS 5 with Xen on my workstation and have to occasionally test something with a Windows machine, I require the HVM technology.

And so began my hunt for what I knew would be a valid source of lists for the processors that have this technology. I could then pick my machine based on the processors in this list.

Finding this list was unbelievably difficult. Remember I said that I wanted a valid list. I did all sorts of google searches with every keyword that I could think of all to no avail. After an hour or so of this I decided to have a look on Intel’s site. About 30 minutes later I had what I wanted.

For the Intel processors you can go to this page. Here you will see two tabs. Click on the tab “View Processor Number Details”. On this tab you will see a table titled “Select Processor Brand”. After clicking on one of the processor brands another table will come up. Find the column that says Intel VT and Voila! you have found what you are looking for. If the processor listed has a check in this column then it is capable of hardware assisted virtualization.

Here is a screen shot of the last screen that I mentioned above.

As you can see from the top of the screen shot we are looking at the Intel Core 2 Extreme Processor. Now look across the columns until you see Intel VT. Any of the processors listed in the first column that have a checkmark in the Intel VT column will support HVM technology.

I spent some time on AMD’s website looking for the same thing. Unfortunately I did not find one. If I do I will post it here.

-j

Finally, Virtualization testing for Xen, ESX, Hyper-V and more

Information Week has announced a test among several virtual machine vendors including Citrix, ESX, Microsoft’s Hyper-V, Parallels and Virtual Iron.

This comparison is what Information Week calls a rolling review. This is where, over a period of time, all of the products are pitted against one another.

The testing starts from bare metal and includes four VM Hosts. Two are on identical high end servers newly purchased and two on lesser powered servers that have been repurposed for virtual host use.

The evaluation will consist of each vendor’s ease of setup, configuration, data and network connectivity. Conversion tools supplied by each of the vendors will be used to migrate real world servers running Windows 2000, 2003, 2008, Windows XP, and Debian Linux.

The first reviews will begin with Citrix XenServer. Identical runs of Microsfts’ Hyper-V and VMWare’s ESX server will follow. After these tests are completed Information Week’s Lab will provide a comprehensive overview of the smaller vendors. Following the testing a comprehensive wrapup detailing the features, performance, and price differences among the different Virtualization Vendors will be provided.

Follow the results of the rolling review here.

-j