Archive for ‘Apple’ Category
Posted on 17:17, March 10th, 2014 by Many Ayromlou
A little while ago our web developer asked me to look into proxmox containers and how we could take advantage of it to setup a development environment for him. The idea was to use the power of linux containers and enable him to develop fully functional/accessible sites in a private container. Here are the steps we will cover in this article:
To do all this you need to download proxmox ISO file and burn it to a CD. Go through the installation of proxmox and set up the “host” with the single pubic IP address. This is simple enough so I’m not gonna cover it here. Once you have this setup you should be able to point your browser at the IP address (https://aaa.bbb.ccc.ddd:8006). NOTE: I will use aaa.bbb.ccc.ddd as the representation of the publicly available IP throughout.
Next we need to secure access to the host to only allow connections from a specific IP address space. In my case that’s the University network — 22.214.171.124/16 — this is optional. We need to make sure ufw is installed. We also need to make sure ufw is allowing incoming connections by default and then block everything except access from the University network:
Note that I’m assuming your ssh connection to the host is via the University network (126.96.36.199/16). Make adjustments to this if it’s not, otherwise you might lock yourself out. These basic rules will plug all the holes accessible publicly and only allow connections from our University network (188.8.131.52/16).
Setting up users in proxmox is a bit weird. You have to add a regular Unix user to the proxmox host environment and then add the user to proxmox later and give it permissions and roles. Here I will use a user “myadmin” to create something for our web developer to use.
This will create a account “myadmin”, join it to primary group “myadmin”, assign it /bin/bash as shell and make it part of the group “sudo” — which will allow the user to use the sudo command in the future. Next on the proxmox web interface we need to create a Admin group called “Admin”. In the proxmox interface we click on the Datacentre in the left pane and go to Groups and click the Create button. Call the group “Admin”. Now go to Permissions tab in the right pane. We need to create a Administrator Group Permission to assign to our “Admin” group. Click Add Group Permission (right below the tabs in this pane) and fill it in like below:
In this window the path: / means the entire Datacentre (including the host and the containers/VM’s). You might want to adjust this. The Role “Administrator” is a predefined role that is pretty much the same as root. Now that our group “Admin” has the “Administrator” role for the entire Datacentre, we want to make the user “myadmin” — which is a unix account right now — be part of that, effectively creating another “root” account for our web developer. So back to the Users tab we click Add and create our new user (really just add the Unix user to proxmox):
Okay, so now test and make sure you can access the host via ssh using myadmin as user, also make sure you can sudo to root on the host and check the web interface and ensure the myadmin account can login and see all the goodies in the data centre. Otherwise stop and fix.
At this point login/ssh to the host as root or myadmin (plus “sudo -i” to become root). We need to modify the networking config in /etc/network/interfaces to setup all the masquerading jazz. Make a back up of your interfaces file first and note the public IP address that is in there (I’m gonna use aaa.bbb.ccc.ddd as my public address here). Once you have a backup replace everything in the file with the following:
So in the above I’m creating a separate private network (10.10.10.0/24) behind the publicly available IP address aaa.bbb.ccc.ddd and am doing some iptables commands to setup masquerading. This is sorta like setting up a home router to share a publicly available IP address you have at home. Once this is in place reboot the host and make sure you can log back into https://aaa.bbb.ccc.ddd:8006/ and get the proxmox interface. If you’re good to go, as next step spin off two Ubuntu containers (I won’t go into details on this…..lots of docs out there for this). Your OperVZ Container confirmation screen should look something like this:
The only really important thing here is that you setup the networking under Network tab as Bridged mode and select vmbr0 as your bridge. Once that’s done ssh back to your host (aaa.bbb.ccc.ddd). Assuming you have two containers 100 and 101, enter one of them by using the vzctl command:
Once inside the container you need to setup the networking. Again the file here is /etc/network/interfaces (assuming you’re container is Ubuntu/Debian flavoured). Backup this file first and replace the content with the following:
Note here that I’m using google’s name server. You can use that or substitute your own “real” name servers. Once you reboot the container and enter it again via the host, you should be able to ping just about any real host (www.google.com, www.yahoo.com or whatever). This gives us a basic NAT running on the host and you just need to increment the IP address (10.10.10.2 in the above case) in the setup of the second container. At this point you should be able to enter either containers and ping something outside.
So the rest of this article describes how to setup a secure reverse proxy using apache on the proxmox host (aaa.bbb.ccc.ddd). This way you can just point arbitrary DNS names at aaa.bbb.ccc.ddd and choose (via apache config) which one of your containers will answer the call. You can even get fancy and have multiple hostnames proxied to the same container and do standard “Name based” virtual hosting inside the container. I will just show the one-to-one proxied connection here. Start by installing apache on the host (apt-get install apache). First we need to activate the proxy module. If you don’t have time to finish this entire procedure DO NOT CONTINUE. Literally in the time it takes to install and configure the proxy, script kiddies will hit your site and use you as a proxy to attack other sites. DO THE PROXY INSTALL AND CONFIG/SECURING PROCEDURE IN ONE SHOT.
Assuming apache is installed go to http://aaa.bbb.ccc.ddd and ensure you’re getting the apache “hello” screen. Now you can enable the three modules needed by issuing the following:
Once that’s done you need to make some changes to your proxmox hosts default apache config which is in /etc/apache2/sites-available/default. For the sake of completeness I’ve included my entire file here. Compare it to yours and modify accordingly:
Pay particular attention to parts that have the comment (# IMPORTANT: YOU NEED THIS)……Guess what…..YOU NEED THIS. The first one loads libxml2 which is needed. The second block of code makes sure you are in reverse proxy mode (not in forward proxy) and makes sure the main apache instance can’t be used for proxing. The third and fourth block enable reverse proxy for a particular virtual host name. Now we need to reload apache on our proxmox host and do some testing. Reload apache with (service apache2 reload) and for sanity sake change the index.html file in both containers (under /var/www/index.html) to reflect hosta and hostb. I’ve basically just added the words hosta and hostb to the html file. Register hosta.domain.ca and hostb.domain.ca as “A” fields in your DNS and point them at the IP address of the proxmox host (aaa.bbb.ccc.ddd).
If everything is working properly you should be able to use your browser and point at http://hosta.domain.ca and get the index.html page specific to that container and the same for hostb. At this point you should be more or less good to go. If you need more containers addressable from internet, just keep adding this block of code to the proxmox hosts /etc/apache2/sites-available/default and change the hostname and increment the private IP addresses:
Optionally you can now go back and add a couple more ufw rules to only allow access from a particular IP address space (in my case the university network 184.108.40.206/16)
Again with this setup — since we’re preserving the request header and are passing it through the proxy back and forth — you can have hostd, hoste, hostf, all point to the same private IP address in the proxy and do a named virtual serving on the apache instance in the particular container, just like a standard named virtual host based setup. Hope this helps…..
Posted on 10:15, November 23rd, 2013 by Many Ayromlou
Manipulating the Clipboard from the Command Line: “Copy and Paste are absolute necessities for virtually all computer users, and if you find yourself working in the command line frequently, you’ll want to know how to manipulate the clipboard. The commands pbcopy and pbpaste do exactly what they sound like, copy and paste through the command line. They’re actually quite powerful and you’ll be sure to find them useful the next time you’re hanging out with your bash prompt.”
Posted on 16:01, August 15th, 2013 by Many Ayromlou
After battling this for about a week I think I’ve got it figured out. You can install all the required packages and get everything to talk to your license server from command line. BTW, before I start, you need to have a functional license server otherwise you can stop reading now. I’m gonna use licserver.com as the domain name of mine, so substitute your DNS name where necessary. Before we start you need to figure out your product codes from the table at the following address:
My products are Maya (657F1), Mudbox (498F1) and my Suite number for ECSU is 793F1. You’ll need these later. Also my base directory (current directory) in these commands is “MacOSX”, there are separate folders for the individual ECSU apps under this folder. First we install Maya:
Then we create a file named Maya2014.lic in folder /private/var/flexlm and put the following text inside it:
Make sure this file has at least read permission for group and others (mine is 744). Then we create another file named License.env in folder /Applications/Autodesk/maya2014/ and put the following text inside it:
Install the standalone adlmgr package (you’ll get errors later if you don’t do this):
Now comes the fun part of enrolling the serial number into the license manager. Remember the Product code and the Suite code I had you look up earlier, we need them now. In the following command line -i inserts, “N” is for network license type, First Code is the Product code (Maya) and the second code is the Suite code (ECSU in my case). The following command should get the license added (use the proper serial# starting with 379):
If you screw up you can remove the license via this command:
Next step is optional. When Maya starts it displays a bunch of intro screens. Since my deployment is run by a KACE appliance I need to be able to Pre-disable these popup screens. The following command will let you do that:
Next we need to install all the Optional installs Maya comes with. Some of it is probably already installed by the Maya installer, but I installed them again for good measure. No harm done. Use the following 11 installer commands to install them:
Now check to make sure Maya is working and all the other extra little apps we installed are functional. They should be. If not stop and review. Assuming it’s all working, lets move on and install Mudbox and the last few optional installs. First we need to install Mudbox:
Then we need to create the License.env file in /Applications/Autodesk/Mudbox2014/ folder with the following content:
Now comes the fun part of enrolling the serial number into the license manager. Remember the Product code and the Suite code I had you look up earlier, we need them now. In the following command line -i inserts, “N” is for network license type, First Code is the Product code (Mudbox) and the second code is the Suite code (ECSU in my case). The following command should get the license added (use the proper serial# starting with 379):
If you screw up you can remove the license via this command:
Only two more install command left to go. These are optional packages that are part of ECSU. Use the following two installer commands to get them installed:
Now you should be able to run Mudbox and pretty much all the other apps that are in Autodesk folder under Applications. Hopefully it all worked out for you. I will try to get a KACE workflow done for this in the next few days. If you’re a KACE user and end up making the workflow before I do, please share :-).
Creating OSX and Windows compatible Dropbox Functionality in Windows Server 2008 R2 with Dell FS7500 NAS backend.
Posted on 15:55, February 28th, 2013 by Many Ayromlou
This took a while to figure out, mainly because I’m a unix guy trying to “figure out” Windows Server and it’s archaic ACL system and the fact that ACL’s/attributes under OSX are just insane. The main issue I had with all the other recipes on the net describing this process was that it did NOT work for OSX/Finder. When users transferred the files, Finder was not able to strip off it’s “in-use” attribute from the file once copied to the destination. This would leave files in limbo (greyed out) and no one could touch/access them from another Mac until I stripped the “in-use” attribute off manually. Normally SMB capable NAS’s ignore Finder/OSX attributes and this does not happen, but FS7500 is “mac friendly” and preserves the attributes so we had to figure out a way to give Finder enough rights to be able to strip the attribute off once the file was copied.
The core idea here is that you have a windows share (\\elm\DROPBOX in my case) which has a bunch of subfolders under it, one per class (they are in the form of BDCxxx.yyy in my case). What we’re trying to do is give AD users who are in AD groups (also called BDCxxx.yyy in my case) which represent classes enough permission to get inside \\elm\dropbox and see the name of the subfolders and be able to drag files onto the appropriate class subfolder (BDCxxx.yyy), essentially submitting their assignment. What we don’t want to let the users do is to peak inside those subfolders. It’s the equivalent of a “write only” group permission on a folder (no execute or read bit) in unix land. We also want to have our instructors be able to access everything in the DROPBOX share, so we use a group called DropBoxMasters for that purpose.
For the sake of this example I will use the student/class group BDC974.011 which the students belong to and DropBoxMasters group for our instructors. So here we go:
1) We obviously need a share. If you’re using a FS7500 NAS you just create the share and that’s it, no sharing permissions, everything is controlled by Windows ACL’s. If your share is on windows then I guess you can give full control sharing permissions to Domain Users. Once this is done we access \\elm to set the Windows permissions on DROPBOX share.
2) For DROPBOX we need the following permissions to be set to Allow and Apply it to “This folder only”: Traverse folder/execute file, List folder/read data, Read attributes, Read extended attributes, Read permissions. This will allow our BDC974.011 students to see the content of this folder (i.e. the subfolders, one per course). Remember that you need to create this permission set for each individual course/group/class. And remember to apply to “This folder only”.
3) Still on DROPBOX share permissions we want to setup the DropBoxMasters group. This one is easy since it’s “Full control” permission that applies to “This folder, subfolder and files”. Easy :-)
4) Before we go on, a note about the above process. In the permissions/Advanced security settings you should only have the “class/course” groups, the DropBoxMasters group, SYSTEM group (with full control) and Domain Admins (with full control). Next we want to create the subfolders inside DROPBOX, one subfolder per course/class (BDC974.011 in my case). Permission wise we want to setup the following permissions for the group that matches our course/folder (i.e. the example screen shots here are for group BDC974.011 on subfolder \\elm\DROPBOX\BDC974.011). We need the following permissions to be set to Allow and Apply it to “This folder only”: List folder/read data, Read attributes, Read extended attributes, Create files/write data, Create folders/append data, Write attributes, Write extended attributes, Read permissions.
5) Still in the security settings for the course subfolder we need to add “CREATOR OWNER” to the list of permissions (This is a built-in windows entity) and give it the following permissions for “Files only”: basically all the allow check boxes EXCEPT the following (leave unchecked)……Full control, Change permissions, Take ownership. Remember these permissions are to be applied to “Files only”.
That’s it…..Now just keep repeating this for all your courses/groups.
Posted on 09:55, February 20th, 2013 by Many Ayromlou
Does sh*t like this make you wanna smack your mac :-)
Here is a quick way to rebuild the Launch Services database and get rid of duplicates in the Open With submenu:
This process should take about a minute or two. You should check to see if this has fixed the problem. On my machine, running 10.8.2, I had to also restart Finder to complete the process using the following command:
That’s all…..Now Open With submenu is squicky clean
Posted on 12:24, October 4th, 2012 by Many Ayromlou
Posted on 16:36, September 20th, 2012 by Many Ayromlou
Yeah, brand new app in IOS6 and it does not work without fiddling…..Here is how you get it working:
That’s it…….life goes on :-)
Posted on 16:33, August 28th, 2012 by Many Ayromlou
Posted on 13:28, August 24th, 2012 by Many Ayromlou