Archive for ‘Apple’ Category
Apple »

Proxmox VPS for web development recipe….

datePosted on 17:17, March 10th, 2014 by Many Ayromlou

A little while ago our web developer asked me to look into proxmox containers and how we could take advantage of it to setup a development environment for him. The idea was to use the power of linux containers and enable him to develop fully functional/accessible sites in a private container. Here are the steps we will cover in this article:

  • Install proxmox on a machine with a single public IP address
  • Secure the machine with ufw to only allow connections from a specific IP address space
  • Setup a admin user other than root for proxmox admin interface
  • Setup proxmox to use the single IP address and the vmbridge for masquerading
  • Setup two Linux Ubuntu 12.04 containers with private addresses and enable the to access the internet via the bridge
  • Setup Apache on the proxmox host and configure it to do reverse proxy for the two ubuntu containers
  • Setup DNS (for the container instances) to point to proxmox host and test to make sure the “private” containers are accessible from Internet
  • Tighten up security on the reverse proxy on the proxmox host
  • Optionally only allow access to the proxy from specific IP address space

To do all this you need to download proxmox ISO file and burn it to a CD. Go through the installation of proxmox and set up the “host” with the single pubic IP address. This is simple enough so I’m not gonna cover it here. Once you have this setup you should be able to point your browser at the IP address (https://aaa.bbb.ccc.ddd:8006). NOTE: I will use aaa.bbb.ccc.ddd as the representation of the publicly available IP throughout.

Next we need to secure access to the host to only allow connections from a specific IP address space. In my case that’s the University network — — this is optional. We need to make sure ufw is installed. We also need to make sure ufw is allowing incoming connections by default and then block everything except access from the University network:

ufw default allow incoming
ufw allow proto tcp from to any port 8006
ufw deny proto tcp from any to any port 8006
ufw allow proto tcp from to any port 3128
ufw deny proto tcp from any to any port 3128
ufw allow proto tcp from to any port 111
ufw deny proto tcp from any to any port 111
ufw allow proto tcp from to any port 22
ufw deny proto tcp from any to any port 22
ufw enable

Note that I’m assuming your ssh connection to the host is via the University network ( Make adjustments to this if it’s not, otherwise you might lock yourself out. These basic rules will plug all the holes accessible publicly and only allow connections from our University network (

Setting up users in proxmox is a bit weird. You have to add a regular Unix user to the proxmox host environment and then add the user to proxmox later and give it permissions and roles. Here I will use a user “myadmin” to create something for our web developer to use.

useradd -m -s /bin/bash -U -G sudo myadmin

This will create a account “myadmin”,  join it to primary group “myadmin”, assign it /bin/bash as shell and make it part of the group “sudo” — which will allow the user to use the sudo command in the future. Next on the proxmox web interface we need to create a Admin group called “Admin”. In the proxmox interface we click on the Datacentre in the left pane and go to Groups and click the Create button. Call the group “Admin”. Now go to Permissions tab in the right pane. We need to create a Administrator Group Permission to assign to our “Admin” group. Click Add Group Permission (right below the tabs in this pane) and fill it in like below:

Screen Shot 2014-03-10 at 3.02.51 PM


In this window the path: / means the entire Datacentre (including the host and the containers/VM’s). You might want to adjust this. The Role “Administrator” is a predefined role that is pretty much the same as root. Now that our group “Admin” has the “Administrator” role for the entire Datacentre, we want to make the user “myadmin” — which is a unix account right now — be part of that, effectively creating another “root” account for our web developer. So back to the Users tab we click Add and create our new user (really just add the Unix user to proxmox):

Screen Shot 2014-03-10 at 3.15.42 PM


Okay, so now test and make sure you can access the host via ssh using myadmin as user, also make sure you can sudo to root on the host and check the web interface and ensure the myadmin account can login and see all the goodies in the data centre. Otherwise stop and fix.

At this point login/ssh to the host as root or myadmin (plus “sudo -i” to become root). We need to modify the networking config in /etc/network/interfaces to setup all the masquerading jazz. Make a back up of your interfaces file first and note the public IP address that is in there (I’m gonna use aaa.bbb.ccc.ddd as my public address here). Once you have a backup replace everything in the file with the following:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
        address  aaa.bbb.ccc.ddd

auto vmbr0
iface vmbr0 inet static
	bridge_ports none
	bridge_stp off
	bridge_fd 0

        post-up echo 1 > /proc/sys/net/ipv4/ip_forward
        post-up   iptables -t nat -A POSTROUTING -s '' -o eth0 -j MASQUERADE
	post-up   iptables -A FORWARD -s '' -o eth0 -j ACCEPT
	post-up   iptables -A FORWARD -d '' -m state --state ESTABLISHED,RELATED -i eth0 -j ACCEPT
        post-down iptables -t nat -D POSTROUTING -s '' -o eth0 -j MASQUERADE
	post-down iptables -D FORWARD -s '' -o eth0 -j ACCEPT
	post-down iptables -D FORWARD -d '' -m state --state ESTABLISHED,RELATED -i eth0 -j ACCEPT

So in the above I’m creating a separate private network ( behind the publicly available IP address aaa.bbb.ccc.ddd and am doing some iptables commands to setup masquerading. This is sorta like setting up a home router to share a publicly available IP address you have at home. Once this is in place reboot the host and make sure you can log back into https://aaa.bbb.ccc.ddd:8006/ and get the proxmox interface. If you’re good to go, as next step spin off two Ubuntu containers (I won’t go into details on this…..lots of docs out there for this). Your OperVZ Container confirmation screen should look something like this:

Screen Shot 2014-03-10 at 4.25.05 PM


The only really important thing here is that you setup the networking under Network tab as Bridged mode and select vmbr0 as your bridge. Once that’s done ssh back to your host (aaa.bbb.ccc.ddd). Assuming you have two containers 100 and 101, enter one of them by using the vzctl command:

vzctl enter 100

Once inside the container you need to setup the networking. Again the file here is /etc/network/interfaces (assuming you’re container is Ubuntu/Debian flavoured). Backup this file first and replace the content with the following:

# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback

auto eth0
#iface eth0 inet dhcp
iface eth0 inet static

Note here that I’m using google’s name server. You can use that or substitute your own “real” name servers. Once you reboot the container and enter it again via the host, you should be able to ping just about any real host (, or whatever). This gives us a basic NAT running on the host and you just need to increment the IP address ( in the above case) in the setup of the second container. At this point you should be able to enter either containers and ping something outside.

So the rest of this article describes how to setup a secure reverse proxy using apache on the proxmox host (aaa.bbb.ccc.ddd). This way you can just point arbitrary DNS names at aaa.bbb.ccc.ddd and choose (via apache config) which one of your containers will answer the call. You can even get fancy and have multiple hostnames proxied to the same container and do standard “Name based” virtual hosting inside the container. I will just show the one-to-one proxied connection here. Start by installing apache on the host (apt-get install apache). First we need to activate the proxy module. If you don’t have time to finish this entire procedure DO NOT CONTINUE. Literally in the time it takes to install and configure the proxy, script kiddies will hit your site and use you as a proxy to attack other sites. DO THE PROXY INSTALL AND CONFIG/SECURING PROCEDURE IN ONE SHOT.

Assuming apache is installed go to http://aaa.bbb.ccc.ddd and ensure you’re getting the apache “hello” screen. Now you can enable the three modules needed by issuing the following:

a2enmod proxy
a2enmod proxy_http
a2enmod headers

Once that’s done you need to make some changes to your proxmox hosts default apache config which is in /etc/apache2/sites-available/default. For the sake of completeness I’ve included my entire file here. Compare it to yours and modify accordingly:

LoadFile /usr/lib/x86_64-linux-gnu/

<VirtualHost *:80>
	ServerAdmin webmaster@localhost

	DocumentRoot /var/www
	<Directory />
		Options FollowSymLinks
		AllowOverride None
	<Directory /var/www/>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride None
		Order allow,deny
		allow from all

	ErrorLog ${APACHE_LOG_DIR}/error.log

	CustomLog ${APACHE_LOG_DIR}/access.log combined

	ProxyRequests Off
	# Block all requests 
	<Proxy *>
	  Order deny,allow
	  Deny from all


<VirtualHost *:80>
	RequestHeader set Accept-Encoding
	ProxyPreserveHost On
	ProxyPass /
	ProxyPassReverse /
	<Proxy *>
	    Order deny,allow
	    Allow from all
<VirtualHost *:80>
	RequestHeader set Accept-Encoding
	ProxyPreserveHost On
	ProxyPass /
	ProxyPassReverse /
	<Proxy *>
	    Order deny,allow
	    Allow from all

Pay particular attention to parts that have the comment (# IMPORTANT: YOU NEED THIS)……Guess what…..YOU NEED THIS. The first one loads libxml2 which is needed. The second block of code makes sure you are in reverse proxy mode (not in forward proxy) and makes sure the main apache instance can’t be used for proxing. The third and fourth block enable reverse proxy for a particular virtual host name. Now we need to reload apache on our proxmox host and do some testing. Reload apache with (service apache2 reload) and for sanity sake change the index.html file in both containers (under /var/www/index.html) to reflect hosta and hostb. I’ve basically just added the words hosta and hostb to the html file. Register and as “A” fields in your DNS and point them at the IP address of the proxmox host (aaa.bbb.ccc.ddd).

If everything is working properly you should be able to use your browser and point at and get the index.html page specific to that container and the same for hostb. At this point you should be more or less good to go. If you need more containers addressable from internet, just keep adding this block of code to the proxmox hosts /etc/apache2/sites-available/default and change the hostname and increment the private IP addresses:

<VirtualHost *:80>
	RequestHeader set Accept-Encoding
	ProxyPreserveHost On
	ProxyPass /
	ProxyPassReverse /
	<Proxy *>
	    Order deny,allow
	    Allow from all

Optionally you can now go back and add a couple more ufw rules to only allow access from a particular IP address space (in my case the university network

ufw allow proto tcp from to any port 80
ufw deny proto tcp from any to any port 80

Again with this setup — since we’re preserving the request header and are passing it through the proxy back and forth — you can have hostd, hoste, hostf, all point to the same private IP address in the proxy and do a named virtual serving on the apache instance in the particular container, just like a standard named virtual host based setup. Hope this helps…..

Manipulating the Clipboard from the Command Line

datePosted on 10:15, November 23rd, 2013 by Many Ayromlou

Manipulating the Clipboard from the Command Line: “Copy and Paste are absolute necessities for virtually all computer users, and if you find yourself working in the command line frequently, you’ll want to know how to manipulate the clipboard. The commands pbcopy and pbpaste do exactly what they sound like, copy and paste through the command line. They’re actually quite powerful and you’ll be sure to find them useful the next time you’re hanging out with your bash prompt.”


After battling this for about a week I think I’ve got it figured out. You can install all the required packages and get everything to talk to your license server from command line. BTW, before I start, you need to have a functional license server otherwise you can stop reading now. I’m gonna use as the domain name of mine, so substitute your DNS name where necessary. Before we start you need to figure out your product codes from the table at the following address:

My products are Maya (657F1), Mudbox (498F1) and my Suite number for ECSU is 793F1. You’ll need these later. Also my base directory (current directory) in these commands is “MacOSX”, there are separate folders for the individual ECSU apps under this folder. First we install Maya:

installer -verbose -pkg ./Maya/Install\ Maya\ -target /

Then we create a file named Maya2014.lic in folder /private/var/flexlm and put the following text inside it:


Make sure this file has at least read permission for group and others (mine is 744). Then we create another file named License.env in folder /Applications/Autodesk/maya2014/ and put the following text inside it:


Install the standalone adlmgr package (you’ll get errors later if you don’t do this):

installer -pkg ./MacOSX/Maya/Install\ Maya\\ Items/AdLM_standalone.mpkg -target /

Now comes the fun part of enrolling the serial number into the license manager. Remember the Product code and the Suite code I had you look up earlier, we need them now. In the following command line -i inserts, “N” is for network license type, First Code is the Product code (Maya) and the second code is the Suite code (ECSU in my case). The following command should get the license added (use the proper serial# starting with 379):

adlmreg -i N 657F1 793F1 2014.0.0.F 379-XXXXXXXX /Library/Application\ Support/Autodesk/Adlm/PIT/2014/MayaConfig.pit

If you screw up you can remove the license via this command:

adlmreg -u N 657F1

Next step is optional. When Maya starts it displays a bunch of intro screens. Since my deployment is run by a KACE appliance I need to be able to Pre-disable these popup screens. The following command will let you do that:

/usr/bin/defaults write /Library/Preferences/com.autodesk.MC3Framework MC3Enabled -int 0

Next we need to install all the Optional installs Maya comes with. Some of it is probably already installed by the Maya installer, but I installed them again for good measure. No harm done. Use the following 11 installer commands to install them:

installer -verboseR -pkg ./Maya/Install\ Maya\\ Items/ADC_docs8.0.pkg -target /
installer -verboseR -pkg ./Maya/Install\ Maya\\ Items/AutodeskBackburner2014.mpkg -target /
installer -verboseR -pkg ./Maya/Install\ Maya\\ Items/AutodeskDirectConnect8.0.pkg/ -target /
installer -verboseR -pkg ./Maya/Install\ Maya\\ Items/Composite2014.pkg -target /
installer -verboseR -pkg ./Maya/Install\ Maya\\ Items/MatchMover2014.pkg -target /
installer -verboseR -pkg ./Maya/Install\ Maya\\ Items/Maya_quicktime_components.pkg -target /
installer -verboseR -pkg ./Maya/Install\ Maya\\ Items/autodesk.backburner.monitor-2014.0_439_i386.pkg -target /
installer -verboseR -pkg ./Maya/Install\ Maya\\ Items/autodesk.dlcommon.libraries_2014.2-2043.i386.pkg -target /
installer -verboseR -pkg ./Maya/Install\ Maya\\ Items/autodesk.webentry-1.0-603.i386.pkg -target /
installer -verboseR -pkg ./Maya/Install\ Maya\\ Items/backburner-2014.0_1635_i386.pkg -target /
installer -verboseR -pkg ./Maya/Install\ Maya\\ Items/mentalrayForMaya2014.0.pkg -target /

Now check to make sure Maya is working and all the other extra little apps we installed are functional. They should be. If not stop and review. Assuming it’s all working, lets move on and install Mudbox and the last few optional installs. First we need to install Mudbox:

installer -verboseR -pkg ./Mudbox/Install\ Mudbox\ -target /

Then we need to create the License.env file in /Applications/Autodesk/Mudbox2014/ folder with the following content:


Now comes the fun part of enrolling the serial number into the license manager. Remember the Product code and the Suite code I had you look up earlier, we need them now. In the following command line -i inserts, “N” is for network license type, First Code is the Product code (Mudbox) and the second code is the Suite code (ECSU in my case). The following command should get the license added (use the proper serial# starting with 379):

adlmreg -i N 498F1 793F1 2014.0.0.F 379-XXXXXXXX /Library/Application\ Support/Autodesk/Adlm/PIT/2014/MudboxConfig.pit

If you screw up you can remove the license via this command:

adlmreg -u N 498F1

Only two more install command left to go. These are optional packages that are part of ECSU. Use the following two installer commands to get them installed:

installer -verboseR -pkg ./mentalraySatellite/Install\ mentalraysatellite\ -target /
installer -verboseR -pkg ./SuiteExclusives/Install\ Suite\ Exclusives\ -target /

Now you should be able to run Mudbox and pretty much all the other apps that are in Autodesk folder under Applications. Hopefully it all worked out for you. I will try to get a KACE workflow done for this in the next few days. If you’re a KACE user and end up making the workflow before I do, please share :-).

This took a while to figure out, mainly because I’m a unix guy trying to “figure out” Windows Server and it’s archaic ACL system and the fact that ACL’s/attributes under OSX are just insane. The main issue I had with all the other recipes on the net describing this process was that it did NOT work for OSX/Finder. When users transferred the files, Finder was not able to strip off it’s “in-use” attribute from the file once copied to the destination. This would leave files in limbo (greyed out) and no one could touch/access them from another Mac until I stripped the “in-use” attribute off manually. Normally SMB capable NAS’s ignore Finder/OSX attributes and this does not happen, but FS7500 is “mac friendly” and preserves the attributes so we had to figure out a way to give Finder enough rights to be able to strip the attribute off once the file was copied.

The core idea here is that you have a windows share (\\elm\DROPBOX in my case) which has a bunch of subfolders under it, one per class (they are in the form of BDCxxx.yyy in my case). What we’re trying to do is give AD users who are in AD groups (also called BDCxxx.yyy in my case) which represent classes enough permission to get inside \\elm\dropbox and see the name of the subfolders and be able to drag files onto the appropriate class subfolder (BDCxxx.yyy), essentially submitting their assignment. What we don’t want to let the users do is to peak inside those subfolders. It’s the equivalent of a “write only” group permission on a folder (no execute or read bit) in unix land. We also want to have our instructors be able to access everything in the DROPBOX share, so we use a group called DropBoxMasters for that purpose.

For the sake of this example I will use the student/class group BDC974.011 which the students belong to and DropBoxMasters group for our instructors. So here we go:

1) We obviously need a share. If you’re using a FS7500 NAS you just create the share and that’s it, no sharing permissions, everything is controlled by Windows ACL’s. If your share is on windows then I guess you can give full control sharing permissions to Domain Users. Once this is done we access \\elm to set the Windows permissions on DROPBOX share.

2) For DROPBOX we need the following permissions to be set to Allow and Apply it to “This folder only”: Traverse folder/execute file, List folder/read data, Read attributes, Read extended attributes, Read permissions. This will allow our BDC974.011 students to see the content of this folder (i.e. the subfolders, one per course). Remember that you need to create this permission set for each individual course/group/class. And remember to apply to “This folder only”.

Screen Shot 2013-02-28 at 3.11.57 PM Screen Shot 2013-02-28 at 3.12.15 PM

3) Still on DROPBOX share permissions we want to setup the DropBoxMasters group. This one is easy since it’s “Full control” permission that applies to “This folder, subfolder and files”. Easy :-)

Screen Shot 2013-02-28 at 3.16.58 PM

4) Before we go on, a note about the above process. In the permissions/Advanced security settings you should only have the “class/course” groups, the DropBoxMasters group, SYSTEM group (with full control) and Domain Admins (with full control). Next we want to create the subfolders inside DROPBOX, one subfolder per course/class (BDC974.011 in my case). Permission wise we want to setup the following permissions for the group that matches our course/folder (i.e. the example screen shots here are for group BDC974.011 on subfolder \\elm\DROPBOX\BDC974.011). We need the following permissions to be set to Allow and Apply it to “This folder only”: List folder/read data, Read attributes, Read extended attributes, Create files/write data, Create folders/append data, Write attributes, Write extended attributes, Read permissions.

Screen Shot 2013-02-28 at 3.31.53 PM Screen Shot 2013-02-28 at 3.32.07 PM

5) Still in the security settings for the course subfolder we need to add “CREATOR OWNER” to the list of permissions (This is a built-in windows entity) and give it the following permissions for “Files only”: basically all the allow check boxes EXCEPT the following (leave unchecked)……Full control, Change permissions, Take ownership. Remember these permissions are to be applied to “Files only”.

Screen Shot 2013-02-28 at 3.37.06 PM Screen Shot 2013-02-28 at 3.37.18 PM

That’s it…..Now just keep repeating this for all your courses/groups.

Get rid of double (triple) entries in Finder’s “Open With” Menu

datePosted on 09:55, February 20th, 2013 by Many Ayromlou

Does sh*t like this make you wanna smack your mac :-)

Screen Shot 2013-02-20 at 9.48.59 AM

Here is a quick way to rebuild the Launch Services database and get rid of duplicates in the Open With submenu:

/System/Library/Frameworks/CoreServices.framework/Frameworks/LaunchServices.framework/Support/lsregister -kill -r -domain local -domain system -domain user

This process should take about a minute or two. You should check to see if this has fixed the problem. On my machine, running 10.8.2, I had to also restart Finder to complete the process using the following command:

killall Finder

That’s all…..Now Open With submenu is squicky clean

Screen Shot 2013-02-20 at 10.07.02 AM

Renew a DHCP lease

datePosted on 12:46, January 3rd, 2013 by Many Ayromlou

Renew a DHCP lease:

Renewing a DHCP lease via the Network System Preference Pane has the advantage of not dropping the connection, unlike switching the interface to BOOTP and back to DHCP. This command mimics that behavior. 


Steve Jobs’ Speech From 1983 About Things That Didn’t Exist Until Now | iPhone in Canada Blog – Canada’s #1 iPhone Resource:

Back in 1983, Steve Jobs spoke at International Design Conference (IDCA) in Aspen. Now, the full 1-hour audio recording of Steve’s amazing speech discussing things like wireless networking, App Store and the iPad has surfaced, thanks to folks at who got their hands on one of the cassette recordings from the conference which were handed out to all attendees.


IOS6 Passbook “Can’t connect to iTunes Store” error fix…..

datePosted on 16:36, September 20th, 2012 by Many Ayromlou

Yeah, brand new app in IOS6 and it does not work without fiddling…..Here is how you get it working:

  1. Open Settings.
  2. Open General.
  3. Open Date & Time.
  4. Switch the Set Automatically setting to Off.
  5. Open Set Date & Time.
  6. Set the date to a year ahead.
  7. Go back to the Home screen and open Passbook.
  8. Tap the App Store button. The App Store should load.
  9. Go back to Date & Time and turn on Set Automatically.

That’s it…….life goes on :-)

How to Run Mac OS X Inside Windows Using VirtualBox

datePosted on 16:33, August 28th, 2012 by Many Ayromlou

How to Run Mac OS X Inside Windows Using VirtualBox:

Maybe you’d like to test drive OS X before switching to a Mac or building a Hackintosh, or maybe you just want to run that one killer OS X app on your Windows machine. Whatever your reason, you can actually install and run OS X on any Intel-based Windows PC with a program called VirtualBox. Here’s how.


Preview Fonts with One Click in the OS X Font Window [Mac Tips]

datePosted on 13:28, August 24th, 2012 by Many Ayromlou

Screen Shot 2012 08 24 at 1 25 17 PM

Preview Fonts with One Click in the OS X Font Window [Mac Tips]:

Most OS X apps have a small “Fonts” window that pops up if you want to change your font’s options, but by default, it doesn’t show you what each font actually looks like. Here’s how to show a preview of every font with one click.

(Via Lifehacker)

123... 111213Next