Interestingly enough Apple provided a dispatch_after code snippet, but not one for dispatch_async. A side effect of this oversight is that the code completion appears to show snippets first. So I’ve created two additional snippets that reflect the most common use cases that I encounter – dispatch_async with a global or main queue.

Download my Xcode GCD Snippets and install into ~/Library/Developer/Xcode/UserData/CodeSnippets and restart xcode.

Enjoy and never again see dispatch_after!

Background

Before we get to the implementation details, a little background is necessary. If you use HTTP Live Streaming and AVFoundation, typically you encode your content at multiple bit rates so that the client can deliver suitable content over a wide spectrum of conditions. This can and typically does happen throughout the playback of your content with AVFoundation switching streams, either higher or lower, depending on network conditions. The result is that the actual bit rate can be a very transient value.

Additionally, we also need to clarify that there’s really two bit rates; an implied bit rate, and an observed bit rate. What’s the difference? The answer is relatively simple. The implied bit rate is the rate in which the server has encoded the media to be displayed and represents a minimum rate level that the client should be able to maintain to properly display the content. The observed bit rate then is the rate that the player actually observed. Where the implied bit rate is provided by the server, the observed is calculated by the player itself. In this instance, we’re going to provide the implied bit rate.

Details

The docs for AVFoundation don’t point to an obvious solution. The AV Foundation Programming Guide doesn’t provide any insight on the matter either. Well, maybe one nugget. Here’s a simplified class diagram of the relevant parts of AVPlayer.

When media is being played, AVPlayer is really presenting the contents of it’s currentItem, which is an AVPlayerItem class. If you look closely at the API docs for AVPlayerItem, you will see the -accessLog method which is defined as, “[returning] an object that represent a snapshot of the network access log.” We’re getting closer.

Falling down the rabbit hole we find that the returned object, an AVPlayerItemAccessLog contains an events property that is a simple NSArray of AVPlayerItemAccessLogEvent objects. One more iteration and we find it. Within the AVPlayerItemAccessLogEvents we find two properties that appear to be related to the bit rate. The indicatedBitrate and the observedBitrate.

After testing these I can verify they are indeed usable. The indicatedBitrate is the bitrate reported by the server proving the HLS stream, and therefore “indicated.” The observedBitrate is an empirical value that’s derived from the data received by AVPlayer and represent a more real-world calculation of the players bit rate.

As usual, the actual research took longer than the coding. Here’s hoping to save someone else the pain of “falling down the rabbit hole.”

1.) Compile library for each SDK as usual.
2.) lipo -create libdevice.a libsimulator.a -output libcombined.a

That’s it.

I like the desktop clutter free, and mounted volumes that I’ll never directly need access to (away from the command line), I don’t want to see on the desktop. However, I do want to see items like USB flash drives mounted on the desktop. Unfortunately these items are all considered “External disks.” However there is a solution.

And it’s a very simple solution. First, make sure that Finder is configured to display external disks on the desktop. The real answer lies in using the built in file flags that are part of Mac OSX. Simply issue a chflags hidden [file] and you’re already the majority of the way there.

Example:

$ chflags hidden /Volumes/Time\ Machine/
$ chflags hidden /Volumes/Media/

You can verify that the flags were set by using:

$ ls -ldO /Volumes/Media
drwxrwxr-x@ 11 jhowk  staff  hidden 442 Jul 29 18:29 /Volumes/Media

The last item that needs to be done is to restart the Finder. The chflags changes will not be reflected until the Finder has been restarted.

In this particular case a commit was made after deployment but before the merge, effectively wiping out the changes to trunk. However we still needed to have the commits re-applied. We could have attempted some SVN slight-of-hand, but as it usually works out, the simplest solution is usually the best.

The easiest, and most scriptable solution was to use the way back machine and apply somediff and patch magic. Here’s what we did (make sure your completely up to date when you do).

1. Get the files that were changed in the previous revision with
   svn log -v -r [REV] |grep "^ M " |awk '{print $2}' |cut -c2-
2. Go old school and diff and patch
   svn diff -r [REV] [FILE] | patch -R [FILE]
3. Commit away!

Assuming the changes you want applied are in version 2, and HEAD is at version 3, here’s how it might look

for f in `svn log -v -r 3 |grep "^   M " |awk '{print $2}'|cut -c2-`; 
do 
svn diff -r HEAD $f | patch -R $f; 
done

Lastly, issue the commit and your back to where you should be…

If you have the public key handy, you can do this:

ssh-keygen -l -f [public key file]

And you get exactly what you need; a fingerprint of your public key.

More importantly though, is that Xcode was just one application in a suite of tools that was installed in /Developer. In order for Xcode to become an “application” in the App Store vis-a-vis an installer, a number of changes were made that will affect Xcode users prior to 4.3.

Here’s a summary of some of the changes that have been found.

• The contents of /Developer have been moved into /Applications/Xcode.app/Contents/Developer.
• On my machine at least, xcode-select was not updated to point to this new directory, so command line invocations of some of the tools failed outright.
  To fix: sudo xcode-select -switch /Applications/Xcode.app/Contents/Developer
• Some of the tools are still delivered, but quasi-hidden in the app bundle.
  
  

  Developer Tool Menu

  
  To access them, right-click on the Xcode icon and under “Open Developer Tool” five of the additional tools can be accessed. Instruments, File Merge, Icon Composer, OpenGL ES Performance Detective, and Application Loader are found under this new menu option.

If you want a full blown breakdown of the changes to Xcode 4.3, Peter Hosey has an excellent write up. Check out http://boredzo.org/blog/archives/2012-02-17/xcode-and-friends

If however you would like to do something like contacts where the perceived “background” of the table view is something other than default. If that’s the case, it’s relatively easy to do. Here’s how.

In your UITableViewController (usually viewDidLoad:)

// This sets the lighter linen looking background.  see UIColor for more "System Colors"
[[[self navigationController] view] setBackgroundColor:[UIColor underPageBackgroundColor]];
// Make the background of the table view transparent.
[[self tableView] setBackgroundColor:[UIColor clearColor]];

Then implement this method in your UITableViewController:

-(void)tableView:(UITableView *)tableView willDisplayCell:(UITableViewCell *)cell forRowAtIndexPath:(NSIndexPath *)indexPath
{
    [cell setBackgroundColor:[UIColor whiteColor]];
}

After playing around and failing in different ways, this seems to be the simplest solution by far. Simple, easy and does what it should.

For those who are wondering, you can find a plethora of resources on how to do it if you so choose, but I did want to point out a few quirks that I ran into after the install. I’m not sure if these are environmental differences that I had adjusted a some point in the past, but when I re-installed a clean version of Lion a few things changed.

1. Mission Control – By default, there’s really only one space. If you upgraded an existing SL installation and used spaces, it created them by default in MC. Furthermore, Control-UP activates MC. Control-Down does the old Exposé routine.
2. Tap to Drag – I don’t remember the actual starting state of this but I checked on another laptop and my desktop with the Magic Trackpad and they were configured the same so I’m working under the assumption that this may affect a few people like myself. If you were used to the whole tap to drag routine, it’s not there — well technical it’s there but not active. Once you activate the tap to click, tap to drag doesn’t. And it’s not in the Trackpad preference pane either. Strangely enough, it’s tucked away under Universal Access/ Mouse & Trackpad/ Trackpad Options…

As I find more quirks I’ll update this post.

Enjoy.


wget -N -r -nH -np --cut-dirs=3 -A rpm,xml http://archive.cloudera.com/redhat/cdh/3/


To create the isolinux boot image:

Mount the DVD image.

mount -o loop /path/to/dvd.iso /mnt

Copy the data locally.

rsync -av /mnt/isolinux [where ever]

Edit the isolinux.cfg file to update and point to proper kickstart location, and make it auto start by setting prompt to 0.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

default linux
prompt 0
timeout 600
display boot.msg
F1 boot.msg
F2 options.msg
F3 general.msg
F4 param.msg
F5 rescue.msg
label linux
  kernel vmlinuz
  append initrd=initrd.img ks=nfs:192.168.0.1:/mnt/vg1/iso/kickstart/centos55_text.ks
label text
  kernel vmlinuz
  append initrd=initrd.img text
label ks
  kernel vmlinuz
  append ks initrd=initrd.img
label local
  localboot 1
label memtest86
  kernel memtest
  append -

Create a simple script in the isolinux directory to do the heavy lifting.

1
2
3
4
5
6

#!/bin/sh
ISO_NAME=centos55_boot.iso
# Remove the old iso.
rm -f $ISO_NAME
# Make the image.
mkisofs -o $ISO_NAME -b isolinux.bin -c boot.cat -no-emul-boot -boot-load-size 4 -boot-info-table -R -J -v -T $PWD

Kick it off and you should now have a viable boot image. Once you boot the newly created guest, just boot using the new image and it will automatically start your kickstart installation.

sudo add-apt-repository ppa:pitti/postgresql

Once that is done, you may need to enable the updates to use backports. In Synaptic, open Settings -> Repositories and select the Updates tab. Make sure that “Unsupported updates” is checked.

Then just update as usual, and Postgres will be updated to the latest and greatest.

Phone Number Validation

This would be useful to validate phone numbers of customers, clients or prospects. This only validates the 10 digit phone number that does not have parenthesis and dashes. Minor modifications would be necessary to validate with those formatting characters included. (via NANPA.)

^(8(?:00|88)|([2-9])(?!\2{2}|9[\d]|00|11)[\d]{2})([2-9&&[^5]][\d]{2}|(?:5(?!55)[\d]{2}))([\d]{4})$

[UPDATE: Didn't like what I had before and this should be a smaller, more optimized, version.]
This regex covers:

• All ERC (Easily Recognizable Codes) which would include codes like 333,444,555, etc.
• Allowance for toll-free numbers (800,866,877,888, etc.)
• ERC Service codes 211,311,411,511,611,711,811,911.
• Unallocated and/or premium codes (200,300,400,500,700,900, etc.)
• Standard area codes from 201 to 989.
• Removal of 555 Central Office prefix.

If you want to give these a try there are a number of online utilities, but RegExr is one of my favorites.

1. yum install kernel-devel gcc
2. either ln -s /usr/src/kernel/[current version] /usr/src/linux or
3. export KERN_DIR=/usr/src/kernel/[current version]
4. Then the usual ./VBoxLinuxAdditions-[arch].run

For whatever reason, the VirtualBox guest additions still expect to find the kernel headers in /usr/src/linux and not the location in which they are really installed to.

The problem is that OpenSSO express doesn’t exist anymore. Well not in a form supported/provided by Oracle. ForgeRock now has it and it’s been rebranded to OpenAM. The good news is that all of these tutorials and documents still are valid — so long as you actually got the right piece of software.

I wish that when folks write documentation they include specifics about the software they are writing about. But then again, maybe it’s just me…

Once you’ve downloaded your organizations enterprise or partner WSDL, in Netbeans, right-click on the project and select New -> Web Service Client (if it’s not there then New -> Other -> Web Services Category, and then Web Service Client). Select Local File and Browse to the location of your downloaded WSDL. Specify your package and leave the Client Style as JAX-WS and “Generate Dispatch Code” unselected.

Netbeans will attempt to do it’s thing and fail with an error – however, it’s not the only thing standing between you and a working web service client in Netbeans. Below is the error that I received.

In this case, it’s complaining about a ComplexType and element that share the same name. There are two different ways to solve the problem and really only one that works with Netbeans. To properly fix the issue (and have Netbeans “see” the fix) you need to create a JAX-WS binding document to prevent the naming collision from occurring. To do this create a new file and cut and paste this into it. You may have to adjust the @targetNamespace='urn:enterprise.soap.sforce.com' to whichever version (enterprise or partner) your using.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

<bindings
  xmlns:jaxb="http://java.sun.com/xml/ns/jaxb"
  xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"
  xmlns:xsd="http://www.w3.org/2001/XMLSchema"
  xmlns="http://java.sun.com/xml/ns/jaxws" wsdlLocation="../wsdl/enterprise.wsdl">
  <bindings
    node="//xsd:schema[@targetNamespace='urn:enterprise.soap.sforce.com']">
    <jaxb:globalBindings
      underscoreBinding="asCharInWord" />
    <jaxb:schemaBindings>
      <jaxb:nameXmlTransform>
        <jaxb:typeName suffix="Type" />
      </jaxb:nameXmlTransform>
    </jaxb:schemaBindings>
  </bindings>
  <enableWrapperStyle>false</enableWrapperStyle>
  <enableAsyncMapping>false</enableAsyncMapping>
</bindings>

But we’re not done quite yet. Even though the first attempt failed, Netbeans created a new “Web Service References” node in the Projects tree. If you expand that node, you’ll see your webservice. Right-click on the service and select “Edit Web Service Attributes”. Select the “WSDL Customization” tab and scroll all the way to the bottom section named “External Binding Files”. Expand it, and click “Add”. Answer “Yes” to the dialog and then find the xml file you created earlier that contained the binding changes.

Once you select “OK”, a dialog will appear indicating that a refresh of the client is underway. At that point, Netbeans will attempt to re-create the client. If all goes well you should have a working SFDC client in Netbeans.

[UPDATE 1]

The security model in the SFDC API is interesting. In order to properly utilize the service, you must do two things after logging in. One, re-point to a URL that actually contains your organization, and two, make all subsequent calls to that new URL with a session ID that is provided as a result of the login process. The good thing is it’s documented. The bad thing is it’s not documented well at all for JAXWS. What follows is a condensed version of what it took to make it really work.

Repoint to the correct URL

You log into one URL and as part of the LoginResponse you get the real URL of your organization. All subsequent calls made after logging in must use this new URL. It’s in the documentation and described well. However, the redirection of subsequent calls requires the user (caller) to change the ENDPOINT_ADDRESS_PROPERTY to the new URL. The SFDC documentation that uses Axis, shows that with Axis the ability to manipulate a SOAP binding property is relatively straightforward. Unfortunately it’s not quite so simple with JAXWS.

All of the documentation regarding using JAXWS in SFDC focuses on the use of the non-standard com.sun.xml.internal.ws.developer.WSBindingProvider to get access to the SOAP binding properties to insert the new endpoint URL once the login has successfully completed. For some reason, if you attempt to use this from glassfish, the downcast of the port to WSBindingProvider causes an exception preventing it from working properly and successfully getting the port to re-point to the proper endpoint URL. However, I was able to figure a way around the WSBindingProvider to get access to the SOAP header to set the proper endpoint address. I’ll detail that step in another post.

Provide the proper session ID

This workaround was somewhat simpler even though the reasons are just a complex. The short answer is that the SOAP headers are not implicitly defined in the Salesforce.com WSDL. Because the SOAP headers are defined in the WSDL binding section instead of the portType section, they don’t become available and you won’t be able to get set the proper session ID wihout getting really creative. The solution is very straightforward. In the WSImport Options tab where you set the jaxb options, set one more WSImport Option as well. Add in xadditionalHeaders and true.

When done successfully, the method signatures will now include a parameter for the SessionHeader (where you set the sessionID).

I’m going to show a full working example of all of this in a subsequent post for those who want/need more information.

[UPDATE 2]

Upon further testing it appears that wsimport will disregard the -XautoNameResolution if you also provide a mapping file because they’re actually attempting to do the same thing. Furthermore, if you just use -XautoNameResolution without the mapping, wsimport will work properly however Netbeans doesn’t “see” the fix and still complains even though you can compile and run. Removing the references for -XautoNameResolution for now.

Enjoy.

Technology books (especially programming books) are a required item for most software professionals and my office at work is littered with them. At any given time there are a dozen books that I may actively reference on a day-to-day basis for the projects that I’m working on. My main library, literally, is my home. I cycle books in and out of my house with the regularity of a public branch library; albeit one dedicated to technology. I have racks of books in my basement where they are shelved and ready to be used when needed. While not necessarily grouped and classified using structure of the Dewey Decimal System, it’s good enough for me.

If you’ve been around software long enough you’ve been exposed to the almost universal maxim regarding software — it almost never stops changing. Software changes and grows, sometimes organically, sometimes in rough and abrupt ways, but rarely does it stay constant. Nascent projects change so rapidly that any attempt to produce good documentation usually leads to those same documents being outdated before they are published. Luckily, maturity usually means a certain level of stability where documentation can be produced and consumed before a new version of the system is released and the documentation has to be updated. It becomes an infinite, but necessary loop.

At some point someone may write a book on the subject at which point in time the current state of system is not only captured, but actually printed and bound, effectively freezing the state of the system for all time. But if software is constantly evolving, doesn’t the material physically printed in these books become obsolete? Yes, and it’s a common problem that those of us who purchase technology books have come to accept. A technology book isn’t like most other books — it has a built in but hidden expiration date. Because almost all software invariably changes, the printed page being a physical immutable object can no longer accurately describe the current state of the system. Most readers of technology books learn this, and book publishers have grown smarter about it and started to identify the version of the software that the book applies to.

The Problem

At some point the printed material itself becomes more than outdated, it becomes obsolete. I have collected hundreds of technology books over the years. Some for work endeavors, others for personal learning, but all have served me well. Unlike non-technology focused books, I have to periodically purge my collection to avoid the issues described earlier. There may be someone who becomes interested in the lineage of a particular piece of software and therefore the book becomes a historical reference capturing the evolution of a piece of software. But for most of us, they simple become unusable and start collecting dust.

With book prices typically ranging between $30.00 and $70.00, purchasing something that’s going to be out of date in the near future may not be the best financial decision in the long run. Witness the prices for a used Java EJB book on Amazon.

This particular title, is selling for $0.29 used. Anyone who purchased this book new and at list price has lost 99.99% of it’s original value. It’s understandable why. This particular book has been in print since late 2004. The subject matter is mature but now outdated. The value that this book provides is limited to anyone who must still use or support this older version and the audience will continue to shrink over time.  To be fair to the authors of the book, an updated version of this book has already been released that addresses the improvements to EJBs. The changes are sufficiently large enough to warrant re-purchasing the book again even if someone currently possesses the previous version.

After years of this, I think it’s getting wasteful. Both on my wallet and the amount of dead trees that I currently house in my personal library. For my technical collection, I have wished for a solution that avoids the dead tree and continual update syndrome for those of us who purchase technology books are subject to. I want authors to get paid, high quality material to continually be published, and I’m willing to re-purchase for documentation that contains significant changes or for new version. However, I also want to have access to updates and fixes to typographical and code examples. Printed material just can’t offer that and my books are usually marked up with errata found on the publishers or book’s web site. It’s not an optimal solution by any stretch of the imagination.

An Interim Solution

One interim solution that I have used for the last couple of years is Safari Books Online. Safari has multiple membership levels, and I subscribe to the one that gives unlimited access to the library for approximately $40.00 a month. So for about the price of one physical book, you get access to a dizzying array of technical books for the same cost. For me personally it’s worked well. Here’s an example of the book discussed earlier.

Safari allows me access to all versions of this book. As new editions are released, the updates are also released into the library satisfying my need for access to timely updates to typographical and code corrections. The interface gives a true print fidelity view as well so what appears on the screen is what the book actually looks like printed. Just as important, you can annotate, bookmark, and make notes. Additionally, as a bonus, you are also given tokens that can be redeemed to download chapters and/or entire books into PDF form and kept offline. Safari has a ton of features so it’s worth a look for someone who is purchasing books on a regular basis.

The problem with Safari is that it is a service. Once you stop paying, you lose everything. PDF’s you generate and have downloaded are yours, but everything else is gone. So far it hasn’t been an issue, but it’s something to be aware of. Finally, and this is a personal issue, I don’t really enjoy reading on a monitor. Usually with most technical books it’s done in a reference type mode so it’s usually not a continual three hour session but nevertheless it’s not very ergonomic.

Overall Safari is great. It deals with most of my issues about owning technical books. I still have to read them online, but for the price, my technical collection expanded a hundred-fold and I never have to donate a book again. As an interim solution I think it has worked well and I’ll continue to subscribe to Safari just for the unfettered access to a huge technical library. Still, what I really want is something that I can hold in my hand but has the power of Safari.

The Perfect Solution

What I really would like is for the publishers of technical books to always provide a version of the book that could be used with the latest eReaders like the Barnes & Noble Nook or the Amazon Kindle. If I could tote around one of those with a couple hundred technical eBooks, I’d be loving life. I wouldn’t know what to do with myself if I could get access to Safari using the eReader as an interface. The eBook concept, especially for technical books, is a great idea that is being offered more and more. They’re priced considerably less that the printed version, and I don’t have to deal with the disposal issues later.

I think we’re close enough that I purchased a Nook. The screen may be smallish for technical reading, but it’s a start and it has to be better than the monitor. It can hold an entire libraries worth of book and it’s portable. Only time will tell, but it’s a start. As a result, I think I’ll convert this article into a series about getting technical material on eReaders. As I progress I’ll continue the series. Happy eReading for all.

/etc/cron.daily/logrotate:
error: zimbra:64 unexpected text

It’s due to a typographical error in /etc/logrotate.d/zimbra that has not been fixed in the latest release (6.0.3.) The log rotate configuration file for Zimbra as delivered has a typographical error in the freshclam section.

1
2
3
4
5
6
7
8
9
10
11
12

/opt/zimbra/log/freshclam.log {
    daily
    missingok
    copytruncate
    notifempty    create 0660 zimbra zimbra
    postrotate
     kill -HUP `cat /opt/zimbra/log/freshclam.pid 2> /dev/null` 2> /dev/null || true
    endscript
    compress
    size 5000k
    rotate 7
}

On line five, the notifempty and create 0660 zimbra zimbra have been concatenated together. To fix, just move the create stanza to the next line like so.

1
2
3
4
5
6
7
8
9
10
11
12
13

/opt/zimbra/log/freshclam.log {
    daily
    missingok
    copytruncate
    notifempty    
    create 0660 zimbra zimbra
    postrotate
     kill -HUP `cat /opt/zimbra/log/freshclam.pid 2> /dev/null` 2> /dev/null || true
    endscript
    compress
    size 5000k
    rotate 7
}

Be aware that since this isn’t officially fixed from the folks at Zimbra, any updates applied after this change is made may revert this back to the original, broken behavior.

Enjoy.

The problem is that the default memory settings in VirtualBox for fedora are insufficient. Reset the system base memory to a more appropriate 512MB and you’ll find the installation routine runs as expected.

Enjoy.

The solution was relatively simple:

[zimbra@zimbra ~]$ zmprov mcf zimbraMtaMyDestination 'localhost zimbra.subaquatic.net'

That allowed us to use the /etc/aliases file and forward logwatch emails destined for root to our mailbox of choice.

Adobe PDF – The defacto standard.

In most instances, an Adobe PDF of the file yields excellent results. It’s simple enough to convert a man page to PDF:

$ man -l -Tps /path/to/manpage | ps2pdf14 - manpage.pdf

It’s dead simple, and produces good output. I haven’t run into any issues providing PDF’s in this manner. Groff/troff don’t yet support a PDF as a output device, so for now the man page is output in PostScript and then converted into PDF. If you’re not familar with man, the -l is for a local file. If you want to do this on a known command (i.e. man itself), remove the -l.

PostScript or DVI

To produce PostScript or DVI output, it’s even easier than creating PDF’s as these devices are known to groff/troff.

$ man -l -T[ps|dvi] /path/to/manpage > manpage.[ps|dvi]

Remember that if you need/want to proof this on screen, you’ll need applications that can display PostScript and DVI files. If your on Linux, evince can display both formats. Windows folks are on their own. To determine what devices are available, man man or man groff and look at the -T argument for output device possibilities.

The screen?

Typically when I author man pages and if I use some special formatting or more complex layouts, I want to graphically proof what I’ve done. xman won’t work in these instances, and all that’s really needed is to get a good idea of what it’s going to look like when it’s printed. The normal man command is good enough to get a textual reference, but not a graphical one, and the methods above are too cumbersome for a quick proof. So is there another way to view it?

Yes there is and you get to go really old school with this:

$ troff -man /path/to/manpage | xditview -

or if your using some special macros (like tbl), you can use groff instead and have it invoke gxditview directly instead.

$ groff -X -t -man /path/to/manpage

The nice thing is that you can print from gxditview if necessary. It’s quick and easy to view a man page in this manner and works well for a quick look. If you still want to keep it seriously old school the troff equivalent would be tbl /path/to/manpage | troff -man -|xditview -

Enjoy.

ldapsearch -x -s base -b "cn=subschema" ldapsyntaxes

Should end up with output like:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57

[root@ldap schema]# ldapsearch  -x -s base -b "cn=subschema" ldapsyntaxes
# extended LDIF
#
# LDAPv3
# base <cn=subschema> with scope baseObject
# filter: (objectclass=*)
# requesting: ldapsyntaxes 
#
 
# Subschema
dn: cn=Subschema
ldapSyntaxes: ( 1.3.6.1.1.16.1 DESC 'UUID' )
ldapSyntaxes: ( 1.3.6.1.1.1.0.1 DESC 'RFC2307 Boot Parameter' )
ldapSyntaxes: ( 1.3.6.1.1.1.0.0 DESC 'RFC2307 NIS Netgroup Triple' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.52 DESC 'Telex Number' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.50 DESC 'Telephone Number' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.49 DESC 'Supported Algorithm' X-BIN
 ARY-TRANSFER-REQUIRED 'TRUE' X-NOT-HUMAN-READABLE 'TRUE' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.45 DESC 'SubtreeSpecification' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.44 DESC 'Printable String' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.41 DESC 'Postal Address' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.40 DESC 'Octet String' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.39 DESC 'Other Mailbox' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.38 DESC 'OID' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.36 DESC 'Numeric String' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.34 DESC 'Name And Optional UID' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.28 DESC 'JPEG' X-NOT-HUMAN-READABLE
  'TRUE' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.27 DESC 'Integer' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.26 DESC 'IA5 String' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.24 DESC 'Generalized Time' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.22 DESC 'Facsimile Telephone Number
 ' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.15 DESC 'Directory String' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.14 DESC 'Delivery Method' )
ldapSyntaxes: ( 1.2.36.79672281.1.5.0 DESC 'RDN' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.12 DESC 'Distinguished Name' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.11 DESC 'Country String' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.10 DESC 'Certificate Pair' X-BINARY
 -TRANSFER-REQUIRED 'TRUE' X-NOT-HUMAN-READABLE 'TRUE' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.9 DESC 'Certificate List' X-BINARY-
 TRANSFER-REQUIRED 'TRUE' X-NOT-HUMAN-READABLE 'TRUE' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.8 DESC 'Certificate' X-BINARY-TRANS
 FER-REQUIRED 'TRUE' X-NOT-HUMAN-READABLE 'TRUE' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.7 DESC 'Boolean' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.6 DESC 'Bit String' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.5 DESC 'Binary' X-NOT-HUMAN-READABL
 E 'TRUE' )
ldapSyntaxes: ( 1.3.6.1.4.1.1466.115.121.1.4 DESC 'Audio' X-NOT-HUMAN-READABLE
  'TRUE' )
 
# search result
search: 2
result: 0 Success
 
# numResponses: 2
# numEntries: 1

Example:

1
2
3
4
5
6

<cobertura-instrument todir="${cobertura.inst.classes}" datafile="${cobertura.datafile}">
    <fileset dir="${build}">
      <include name="**/*.class"/>
      <exclude name="**/*Test*.class"/>
    </fileset>
</cobertura-instrument>

Here’s one of my full Cobertura target’s that contains the above example.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

<target name="cobertura" depends="compile">
    <property name="cobertura.home" value="/opt/cobertura-1.9.1"/>
    <property name="cobertura.datafile" value="${build}/cobertura.ser"/>
    <property name="cobertura.inst.classes" value="${build}/instrumented-classes"/>
    <property name="cobertura.coverage" value="${reports}/coverage"/>
 
    <!-- Cleanup an previous runs -->
    <delete dir="${cobertura.coverage}"/>
    <delete dir="${cobertura.inst.classes}"/>
    <delete file="${cobertura.datafile}"/>
 
    <path id="cobertura.classpath">
        <fileset dir="${cobertura.home}">
            <include name="cobertura.jar"/>
            <include name="lib/**/*.jar"/>
        </fileset>
    </path>
    <taskdef classpathref="cobertura.classpath" resource="tasks.properties"/>
 
    <cobertura-instrument todir="${cobertura.inst.classes}" datafile="${cobertura.datafile}">
        <fileset dir="${build}">
            <include name="**/*.class"/>
	    <exclude name="**/*Test*.class"/>
        </fileset>
    </cobertura-instrument>
 
    <junit showoutput="true" printsummary="withOutAndErr" fork="true" forkmode="once" failureproperty="test.failed">
        <classpath refid="cobertura.classpath" />
        <sysproperty key="net.sourceforge.cobertura.datafile" file="${cobertura.datafile}" />
 
        <classpath location="${cobertura.inst.classes}" />
        <classpath location="${build}"/>
        <batchtest todir="${reports}/junit/">
          <fileset dir="${src}">
            <include name="**/*Test*.java"/>
          </fileset>
        </batchtest>
    </junit>
 
    <cobertura-report srcdir="${src}" destdir="${cobertura.coverage}" datafile="${cobertura.datafile}"/>
</target>

The doc cover says it covers up to XenServer 4.1, but works for 5.0 with some adjustments. The condensed and revised version is:

1. While booting off of the CD/DVD, hit escape to stop the timer, and select F2
2. At the boot prompt, type menu.c32
3. Move to the install line and hit the tab button to bring up the boot stanza.
4. After /boot/xen.gz insert no-real-mode acpi=off and hit enter
5. Boot process should continue and you install away.
6. However, this doesn’t fix the problem from re-occuring after installation (this is where the document diverges drastically.)
7. With the installation CD/DVD out of the machine, boot the machine and at the boot: prompt, again type menu.c32
8. Select the xe boot option and hit tab to edit the boot stanza.
9. After /boot/xen.gz, add acpi=off again and hit enter. XenServer should now start up properly.
10. To permanently resolve the issue, with XenServer up and running, cursor down to Local Command Shell
11. From the shell, cd /boot and backup the extlinux.conf file.
12. vi extlinux.conf and re-add the acpi=off directly after /boot/xen.gz for each entry

    1 2 3 4 5 6 7 8 9

    label xe # XenServer kernel mboot.c32 append /boot/xen.gz acpi=off om0_mem=752M lowmem_emergency_pool=16M crashkernel=64M@32M console=/dev/null vga=mode-0x0311 --- /boot/vmlinuz-2.6-xen root=LABEL=root-vodjnbjv ro quiet vga=785 splash --- /boot/initrd-2.6-xen.img   label fallback # XenServer (Xen 3.2.1 / Linux 2.6.18-92.1.10.el5.xs5.0.0.426.647xen) kernel mboot.c32 append /boot/xen-3.2.1.gz acpi=off dom0_mem=752M lowmem_emergency_pool=16M crashkernel=64M@32M --- /boot/vmlinuz-2.6.18-92.1.10.el5.xs5.0.0.426.647xen root=LABEL=root-vodjnbjv ro console=tty0 --- /boot/initrd-2.6.18-92.1.10.el5.xs5.0.0.426.647xen.img

13. Exit out of the shell and reboot.

XenServer 5.0 should now startup without any issues.

Answer: After some googling, I made a snapshot of the guest (just in case), and changed the guest configuration from using the default NAT setup to having it bridge directly to my network. Bring the guest back up and attempt the VPN connection again and lo’ and behold, it works. The why/hows are still unknown, but at least it works.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

RMAN-03009: failure of backup command on t1 channel at 02/26/2009 16:31:05
ORA-19513: failed to identify sequential file
ORA-27206: requested file not found in media management catalog
continuing other job steps, job failed will not be re-run
channel t1: starting full datafile backupset
channel t1: specifying datafile(s) in backupset
including current control file in backupset
channel t1: starting piece 1 at 26-FEB-09
released channel: t1
RMAN-00571: ===========================================================
RMAN-00569: =============== ERROR MESSAGE STACK FOLLOWS ===============
RMAN-00571: ===========================================================
RMAN-03009: failure of backup command on t1 channel at 02/26/2009 16:32:11
ORA-19513: failed to identify sequential file
ORA-27206: requested file not found in media management catalog

To fix it, make sure that the CLIENT_NAME in /usr/openv/netbackup/bp.conf matches (including the case) the client name entered in the NetBackup policy.

linux pci=nommconf

This will allow the CentOS Installation to continue.

Believe it or not, it doesn’t really matter which PDF generation mechanism you are using, all work in the same manner and therefore exhibit the same behavior. Whether it’s pdftex, dvipdfm, or ps2pdf, all don’t/can’t use the document class paper size definition. So if that’s all that’s been set, that’s not enough.

There’s two equally simple solutions:

1. Next to your document class, add these additional parameters

   1 2	\pdfpagewidth 8.5in \pdfpageheight 11.0in

   Of course this could be customized to any size paper you wish, but it’s simple and easy enough to include in a template for all future documents.

2. If you’re using a LaTeX distribution like TeX Live and want to make sure everything produced is on letter paper, run the texconfig command.

   jhowk@host:~$ texconfig paper letter texconfig: updated configuration saved as file `/home/jhowk/.texmf-config/dvips/config/config.ps' texconfig: updated configuration saved as file `/home/jhowk/.texmf-config/dvipdfm/config/config' texconfig: updated configuration saved as file `/home/jhowk/.texmf-config/dvipdfm/config/dvipdfmx.cfg' texconfig: updated configuration saved as file `/home/jhowk/.texmf-config/xdvi/XDvi' texconfig: updated configuration saved as file `/home/jhowk/.texmf-config/tex/generic/config/pdftexconfig.tex' ...

   You’ll get a ton of output, but rest assured you’ve set your default paper size to letter. Using texconfig is not setting a system-wide command and only configured the user who ran it. To undo, just remove the .texmf-config and .texmf-var directories in the users home directory. Texconfig is also has a curses based gui if you run it without any parameters.

There it is. Two simple solutions for an issue that unfortunately I’ve run into more than once before…

I’ve been using VirtualBox prior to 1.4, and P2V’ing a Windows host into VirtualBox has been close to impossible. With some hints from Katsumi Inoue and a comment from Robert, I’ve been successfully able to P2V my primary Windows host at work. The following is a quick rundown on how I did it with VirtualBox 2.1.2 and VMware Converter.

1. Get a copy of VMware Converter.  I went with the standalone version, and if you don’t have an enterprise agreement or license with them, you will need this version too.
2. Install it.
3. Run VMware Converter and convert the physical host that you installed it to.  I opted to write the conversion to an external USB drive, and it took about 2 hours to migrate a 37GB disk.  Converter opted for multiple .vmdk’s instead of one monolithic image.  In the past this is where we had to apply some black magic to get VirtualBox to work with a .vmdk.  With the new 2.1 series (this was tested on 2.1.2), VirtualBox is able to use vmdk’s.  With 2.1.2 (possibly earlier), it can deal with a sliced image making this processes extremely simple.
4. Import the VMDK into VirtualBox.  Make sure that you grab the correct vmdk and not one of the slices.
5. Create the new guest and attach the VMDK.
6. In the setting configuration of the guest, make sure that you initially have the “IO APIC” selected.
7. The machine should boot without a complaint but will run slowly due to IO APIC.
8. In your new Windows guest, open up the device manager and update the driver for “ACPI Uniprocessor PC”.  Update the driver to use “Advanced Configutation and Power Interface (ACPI) PC” instead.
9. Shutdown the guest and modify the settings and unselect the “IO APIC”.
10. Startup the VM and enjoy a newly converted guest!

Finally.  A fully working guest that was P2V’d and didn’t require 24 hours of endless searching or head scratching to get it to work.  Hooray!

1. Remove the device from powerpath:

   powermt remove dev=[hdiskpowerX]

2. Remove powerpath hdiskpower devices from system:

   rmdev -dl hdiskpowerXX

3. Remove standard SAN disk devices:

   rmdev -dl hdiskX

4. Confirm

   lsdev -Cc disk

   and again with inq

   inq

You are user “A” on “hostA”, and hostA is your client machine. Host “hostB” is the host in which you need to run the X application on as user “B”. Furthermore, hostB only allows SSH connections. In addition to the SSH restriction, you need to run an X application as someone other than yourself and you don’t have the password but you can use sudo to become that user. What can you do?

The good new is that it can be done. If you’re interested in the how but not the why, read the end for a one line solution. Otherwise, there are a few road blocks that need to be overcome to get this to work so let’s look at some of those issues:

1. Since hostA is behind a firewall, the firewall may not be configured to allow X traffic. More than likely this is the case and would prevent the user from simply sudo’ing to the new user and export a display back to hostA.
2. If you attempted to tunnel the X connection over your SSH connection and then become the user running the X application, you would have found out that once you became the new user and attempted to run the X application you would have been presented with this error similar to this:

   X11 connection rejected because of wrong authentication. X connection to localhost:10.0 broken (explicit kill or server shutdown).

So what can you do to get this to work? Actually the answer isn’t all that difficult; it just requires an understanding of how X works. Most users will know that they can export the display to another host by exporting the DISPLAY variable, and that they can use xhost command on the local host to allow access to it. This is called host-based access and is the simplest and least secure access control mechanism available in X.

We already know that X isn’t going to pass through the firewall so any attempt at simply exporting the display isn’t going to work regardless of our initial connect method (SSH or telnet). Some of you who are familiar with SSH will know that it can also tunnel X. SSH creates a “proxy” X server on the remote host and X traffic will be forwarded over the encrypted channel. We can do a simple test to verify this.

A@hostA:~$ ssh -X hostB
Last login: Fri Jan  9 14:23:03 2009 from hostA
/usr/X11R6/bin/xauth:  creating new authority file /home/A/.Xauthority
[~]
A@hostB => xclock

At which point the xclock application will appear on the display of hostA and we now know that X tunneling over SSH works.

But what happens when we become the “B” user? Let’s try again.

A@hostB => sudo su - B
Password:
[~]
B@hostB => xclock
X11 connection rejected because of wrong authentication.
X connection to localhost:10.0 broken (explicit kill or server shutdown).
[~]
B@hostB =>

No luck. The reason this didn’t work is that user “B” doesn’t have the proper authority to display on another user’s display. Remember that X uses an access control mechanism to allow client to write to a display. Unlike the host-based access that we touched on above, X can also use a more secure control mechanism called a “magic cookie”. This cookie allows a user to gain access to a display. By default, these cookies are stored in a file named .Xauthority.

Recall that when we used the X forwarding capabilities of SSH it created a “proxy” X server. Part of the creation of that proxy is the creation of an .Xauthority file to manage the connections to that proxy server. When we created the initial SSH connection with the -X option, “hostB” created a proxy X server with a .Xauthority file in the user’s home directory and added a cookie for the new connection.

One of the good things about cookies is that they can be shared. If I copy the cookie from user “A” and import it into the .Xauthority file of user “B”, user B will be able to use A’s display. There are some caveats to this, but it’s safe to assume that B will be able to display on A for as long as A has the display. Since we are using SSH and it’s providing a proxy X server, it’s very important to remember that we need to copy the cookie from user A on hostB. SSH is doing some translation on the cookies as part of acting as a proxy, so copying user A’s cookie from hostA isn’t going to work.

We can use /usr/X11R6/bin/xauth to manage our .Xauthority file and the cookies contained in it. Let’s validate that we actually have a cookie after logging in with X forwarding turned on.

A@hostB => xauth list
hostB/unix:10  MIT-MAGIC-COOKIE-1  db6b0a2c3f6ef0d52454532e4fb42b93

We know this works as we were able to display the xclock application on our host previously. Notice that we’re looking at user A’s cookie on hostB, NOT hostA. In order to allow user B access to user A’s display, B needs to import A’s cookie. Again, we can use xauth to accomplish this and it’s a quick one-liner.

A@hostB => xauth extract - :`echo $DISPLAY |awk -F: '{print $2}'` | sudo su - B -c "/usr/X11R6/bin/xauth merge -"

This assumes that user A has the ability to sudo su to user B. Once this is done, xclock (or whatever you wish) can be run as user B and will now appear on user A’s display running on hostA. If all of your hosts are internal, this is a relatively secure method of granting access to remote displays. Since the cookies are not encrypted, using this where the connection could be intercepted may not be the best idea and X offers some additional access methods other than host-based and magic cookie.

If you’d like even more info, read the man pages on xauth, and Xsecurity. If a screencast of this would help, let me know.

In our previous discussion we were provided with an account policy document that stated passwords must:

• Be at least 8 characters long.
• Use of at least one upper case character.
• Use of at least one lower case character.
• Use of special characters (!,@#$%, etc).
• Warn 7 days prior to expiration.
• Must expire after 90 days.
• Must be locked after 97 days.

Using chage we can complete the last three items. To do so, we we use chage like so:

# chage -m 0 -M 90 -I 7 -W 7 [user]

This command reads, change the login user to have no minimum number of days for password changes (-m 0), allow at most 90 days before a password change is required (-M 90), lock the account 7 days after the account has expired (-I 7), and warn the user 7 days prior to account expiration (-W 7).

But what about the first four passwords requirements for existing accounts? The password policy changes did not affect any existing accounts that already had passwords set. If at any point the user manually changes their password, the new password policies will be enforced and the first four requirements will be met. Realistically though, once the accounts have been modified using chage to have an expiration, the next user password change will force all accounts into compliance. If accounts are needed to be in compliance immediately, a more active approach will require locking the account and requiring the user to change the password.

It’s important to point out that in many cases, there will be accounts that may not fall under this restriction. As an example, many service or application accounts that are are not used for direct logins may be exempted. So long as the account was created before the modification of the password policies, no changes are necessary and the accounts will be left as is. If any of these accounts were created after the policy change it will be important to remember that chage will have to be used to revert the account back to one that is exempt from aging criteria.

In conclusion, Linux has a standard set of tools that can be used to increase the security of an organization’s account data. By re-configuring the system to enforce both account aging policies as well as more stringent password composition rules, a default Linux installation may be enhanced to meet the more realistic needs of today’s organizations.

Only one slight problem — I can’t skate particularly well.  Which in reality is a nice euphemism for, “I completely suck at skating.”  So with a new pair of hockey skates and a reckless abandon for my own personal safety, I take to the ice in an effort to improve my skating ability.  I’ve been on the ice every day and I’ve made real progress.  So much so, that I enrolled in an adult developmental hockey class.

So for the next six Sundays, I’ll be on the ice seeing how far I can push myself in a sport that has no longer remained elusive to me.  

The document states that passwords must:

• Be at least 8 characters long.
• Use of at least one upper case character.
• Use of at least one lower case character.
• Use of at least one special character (!,@#$%, etc)
• Warn 7 days prior to expiration.
• Expire after 90 days 
• Lock after 97 days.

The good news is that Linux has all of these features and can be setup to meet the requirements given to us.  Unfortunately though, Linux doesn’t have all this information located in one central place. If you’re not using the RedHat supplied redhat-config-users GUI, you’re going to have to make the changes manually.  Since our server systems don’t run X, we will be making the changes directly to the system without the help of the GUI.

In RHEL, changes are made in multiple locations.  They are:

• /etc/pam.d/system-auth
• /etc/login.defs
• /etc/default/useradd

In Linux, password changes are passed through PAM. To satisfy the first three requirements we must modify the PAM entry that corresponds with passwords. /etc/pam.d/system-auth is the PAM file responsible for authentication and where we will make our first modifications. Inside /etc/pam.d/system-auth there are entries based on a “type” that the rules apply to. As we are only discussing password rules, you will see a password type.

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3

The password type is “required for updating the authentication token associated with the user.” Simply put, we need a password type to update the password. Looking at the example, we can see that pam_cracklib is the default module that is responsible for this operation. To configure pam_cracklib to meet our specifications we need to modify the line accordingly:

• Minimum of 8 characters: minlen=8
• At least one upper case character: ucredit=-1
• At least one lower case character: lcredit=-1
• At least one special character: ocredit=-1

Our /etc/pam.d/system-auth will now look like this:

#password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1

If you are curious as to how pam_cracklib defines and uses credits, check the link above to the pam_cracklib module page. Next, to meet the requirement to have passwords expire after 90 days, we need to modify the /etc/login.defs file.

# Password aging controls:
#
#       PASS_MAX_DAYS   Maximum number of days a password may be used.
#       PASS_MIN_DAYS   Minimum number of days allowed between password changes.
#       PASS_MIN_LEN    Minimum acceptable password length.
#       PASS_WARN_AGE   Number of days warning given before a password expires.
#
PASS_MAX_DAYS   90
PASS_MIN_DAYS   0
PASS_MIN_LEN    8
PASS_WARN_AGE   7

Notice how the PASS_MIN_LEN is also set here as well. Since we have been given some latitude on when to warn users we have chosen to warn users seven days prior to expiration. But our last item is curiously missing. Where do we set up the accounts so that after 97 days the account is locked out and requires a system administrator to unlock?

Believe it or not useradd controls the initial locking of an account. Issuing a useradd -D will show you the current default paramters that are used when useradd is invoked.

[root@host ~]# useradd -D
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes

The INACTIVE=-1 entry defines when an account will be deactivated. Inactive is defined as the, “number of days after a password has expired before the account will be disabled.” Our requirements state that the account should be disabled seven days after account expiration. To set this we can either:

• Invoke useradd -D -f 7
• Modify /etc/default/useradd and change the INACTIVE entry.

Just remember that an inactive or disabled account is a locked account whereas an expired account is not locked. With this last change, all of the requirements that have been given to us have been met. We modified the password rules for all new passwords, and setup the system to activate password aging as well as configure the system to disable an account if necessary. But one issue remains — if this is not a new system what happens to all existing account? The answer is nothing.

In the next installment I’ll show you how to make our modifications effective on existing user accounts…

1. Get the disk(s) presented to the host observing that it’s visible down multiple paths.

   # inq -showvol Inquiry utility, Version V7.3-771 (Rev 0.0) (SIL Version V6.3.0.0 (Edit Level 771) Copyright (C) by EMC Corporation, all rights reserved. For help type inq -h.   ----------------------------------------------------------------------------- DEVICE :VEND :PROD :REV :SER NUM :Volume :CAP(kb) ----------------------------------------------------------------------------- /dev/sda :EMC :SYMMETRIX :5771 :0123456789 : 00617: 2880 /dev/sdb :EMC :SYMMETRIX :5771 :0123456789 : 00204: 35654400 /dev/sdc :EMC :SYMMETRIX :5771 :0123456789 : 00206: 35654400 /dev/sdd :EMC :SYMMETRIX :5771 :0123456789 : 00208: 35654400 /dev/sde :EMC :SYMMETRIX :5771 :0123456789 : 0020A: 35654400 /dev/sdf :EMC :SYMMETRIX :5771 :0123456789 : 0020C: 35654400 /dev/sdg :EMC :SYMMETRIX :5771 :0123456789 : 0020E: 35654400 /dev/sdh :EMC :SYMMETRIX :5771 :0123456789 : 00210: 35654400 /dev/sdi :EMC :SYMMETRIX :5771 :0123456789 : 00212: 35654400 /dev/sdj :EMC :SYMMETRIX :5771 :0123456789 : 00214: 35654400 /dev/sdk :EMC :SYMMETRIX :5771 :0123456789 : 00263: 35654400 /dev/sdl :EMC :SYMMETRIX :5771 :0123456789 : 00265: 35654400 /dev/sdm :EMC :SYMMETRIX :5771 :0123456789 : 00267: 35654400 /dev/sdn :EMC :SYMMETRIX :5771 :0123456789 : 00269: 35654400 /dev/sdo :EMC :SYMMETRIX :5771 :0123456789 : 0026B: 35654400 /dev/sdp :EMC :SYMMETRIX :5771 :0123456789 : 00617: 2880 /dev/sdq :EMC :SYMMETRIX :5771 :0123456789 : 00204: 35654400 /dev/sdr :EMC :SYMMETRIX :5771 :0123456789 : 00206: 35654400 /dev/sds :EMC :SYMMETRIX :5771 :0123456789 : 00208: 35654400 /dev/sdt :EMC :SYMMETRIX :5771 :0123456789 : 0020A: 35654400 /dev/sdu :EMC :SYMMETRIX :5771 :0123456789 : 0020C: 35654400 /dev/sdv :EMC :SYMMETRIX :5771 :0123456789 : 0020E: 35654400 /dev/sdw :EMC :SYMMETRIX :5771 :0123456789 : 00210: 35654400 /dev/sdx :EMC :SYMMETRIX :5771 :0123456789 : 00212: 35654400 /dev/sdy :EMC :SYMMETRIX :5771 :0123456789 : 00214: 35654400 /dev/sdz :EMC :SYMMETRIX :5771 :0123456789 : 00263: 35654400 /dev/sdaa :EMC :SYMMETRIX :5771 :0123456789 : 00265: 35654400 /dev/sdab :EMC :SYMMETRIX :5771 :0123456789 : 00267: 35654400 /dev/sdac :EMC :SYMMETRIX :5771 :0123456789 : 00269: 35654400 /dev/sdad :EMC :SYMMETRIX :5771 :0123456789 : 0026B: 35654400

2. See what disks Veritas can see.
   vxdisk -o alldgs list
3. Initialize the disk for the first time. This needs to be repeated for each individual disk.
   /etc/vx/bin/vxdisksetup -i DEVICE format=cdsdisk
4. See if the intialize worked correctly. 

   # vxdisk -o alldgs list DEVICE TYPE DISK GROUP STATUS EMC0_0 auto:cdsdisk - (dg_grp) online EMC0_1 auto:cdsdisk - (dg_grp) online EMC0_2 auto:cdsdisk - (dg_grp) online EMC0_3 auto:cdsdisk - (dg_grp) online EMC0_4 auto:cdsdisk - (dg_grp) online EMC0_5 auto:cdsdisk - (dg_grp) online EMC0_6 auto:cdsdisk - (dg_grp) online EMC0_7 auto:cdsdisk - (dg_grp) online EMC0_8 auto:cdsdisk - (dg_grp) online EMC0_9 auto:cdsdisk - (dg_grp) online EMC0_10 auto:cdsdisk - (dg_grp) online EMC0_11 auto:cdsdisk - (dg_grp) online   EMC0_12 auto:cdsdisk - (dg_grp) online EMC0_13 auto:cdsdisk - (dg_grp) online cciss/c0d0 auto:none - - online invalid

   All device(s) (e.g. EMC0_n) now show as online.

5. Create the disk group.
   vxdg init dg_name dg_internal_name01=DEVICE
   The dg_name is the name of your disk group while dg_internal_name01 is the name of the first disk. In our case dg_internal_name01=EMC0_0.
6. Add any additional disk to the disk group.
   vxdg -g dg_name adddisk dg_internal_name02=EMC0_n+1
   Note that EMC0_n+1 is the next free disk that you are attempting to add. So dg_internal_name02=EMC0_1 (remember we started with EMC0_0).
7. To create the volume
   vxassist -g dg_name make lv_name [size] dg_internal_nameN
   Repeat as necessary.
8. Finally, create the file system
   mkfs -t vxfs /dev/vx/rdsk/dg_name/lv_name

At this point the volumes are now available to be defined as a mount resource in VCS.

• 2.4.x Kernels
  > cat /proc/scsi/[hba_type]/(n)
  where hba_type is the driver (e.g. lpfc for Emulex) and (n) is the HBA number.
• 2.6.x Kernels:
  > cat /sys/class/scsi_host/host(n)/[port_name|node_name]
  Hosts with multiple HBAs are enumerated via host(n) (e.g host0).

You can use lsmod to determine which driver is in use.

I finally found a workable solution that will work for everyone (at least for the PAM challenged folks.) It’s more secure that setting group suid bits on VirtualBox and you’re not hacking the user to be a member of the shadow group. I’m running on Ubuntu 7.10 so your setup may vary slightly…

[EDIT: Thanks to Finger for validating this through version 2.1.0]

You have two options depending on your comfort level (both tested and verified).

1. Modify your existing /etc/pam.d/login file(s)
2. Create a custom PAM service in /etc/pam.d

FIRST OPTION

The VirtualBox provided VRDPAuth.so library defaults to using the /etc/pam.d/login service so changes have to be made there. In Ubuntu, the existing /etc/pam.d/login file includes pointers to other /etc/pam.d files, namely common-account that actually do the work (referenced by an @ in the file), so we need to modify /etc/pam.d/common-account.

My default /etc/pam.d/common-account looks like:

#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system.  The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
account required        pam_unix.so

To fix, append “broken_shadow” to the account line. E.g.

account required        pam_unix.so broken_shadow

This fixes the issue with minimal changes to your system. The impact of this change is that the change is valid for ALL services that use common-account.

SECOND OPTION

If your concerned about modifying a default PAM service, we can create our own. To resolve this issue using a custom PAM service:

1. Create a new file named /etc/pam.d/vrdpauth (or whatever your want)
2. Add this to the following file.

   auth required pam_unix.so account required pam_unix.so broken_shadow

3. In order to use a custom service you must either set the VRDP_AUTH_PAM_SERVICE environment variable (or recompile the library). So…

   jhowk@host:~$ export VRDP_AUTH_PAM_SERVICE=vrdpauth

That’s all that’s needed. Easy fixes. If anyone has any questions just let me know.

For RHEL 4

• 32bit
  • Add the clock=pit parameter to the kernel boot params (grub.conf kernel stanza)

• 64bit
  • Add the notsc parameter to the kernel boot params (grub.conf kernel stanza)

For RHEL 5

• Kernel >= 2.6.18
  • overcorrection for lost ticks was fixed.
• Kernel < 2.6.18
  • 32bit
    • Add the clocksource=pit parameter to the kernel boot params (grub.conf kernel stanza)
  • 64bit
    • Add the notsc parameter to the kernel boot params (grub.conf kernel stanza)

Make sure to verify that the system is syncing against the guest (via vmware-toolbox or directly in the .vmx as tools.syncTime=TRUE)

• A host to act as the hypervisor for the guest.
• A host that will provide NFS an export the ISO image and kickstart files. This can be the hypervisor if necessary.

Tasks:

1. Get the ISO. CentOS 5.2 is here and direct DVD downloads can be found by visiting the mirror page.
2. Install CentOS onto the system that will be your hypervisor. Be sure that the Virtualization group is checked so Xen will get installed.
3. On your NFS host, make the directories that will be NFS mounted and contain the ISO files as well as your kickstart file:

   # mkdir -p /opt/install /opt/install/5.2 /opt/install/ks

4. On the NFS host, mount the image and copy the contents to  /opt/install/5.2

   # mount -t iso9660 -o loop ./CentOS-5.2-x86_64-bin-DVD.iso /mnt # rsync -av /mnt/ /opt/install/5.2/

5. Configure your NFS implementation. If your on a Linux/UNIX host, make sure you have the proper permissions in place and export the /opt/install directory accordingly.
6. Create the kickstart file.

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68

   # CENTOS 5.2 PVM Kickstart file # THIS IS FOR PARAVIRTUALIZED GUESTS ONLY! # Created By Jason Howk   install nfs --server=192.168.0.240 --dir=/opt/install/5.2 text   # System Configuration... lang en_US.UTF-8 keyboard us # Temporary root password. Should be changed once host is ready. rootpw password firewall --disabled authconfig --enableshadow --enablemd5 selinux --enforcing −−port=22:tcp timezone --utc America/Denver zerombr # xvda (Xen Virtual Disk) is the xen block tap device for paravirtualized hosts. # Non-PV hosts would see a normal hdx block device # http://wiki.xensource.com/xenwiki/blktap bootloader --location=mbr --driveorder=xvda --append="console=xvc0" reboot   # Network Settings network --device eth0 --bootproto dhcp   # Partitioning clearpart --all --initlabel --drives=xvda part /boot --fstype ext3 --size=100 --ondisk=xvda part pv.2 --size=0 --grow --ondisk=xvda volgroup VolGroup00 --pesize=32768 pv.2 logvol / --fstype ext3 --name=LogVol00 --vgname=VolGroup00 --size=1024 --grow logvol swap --fstype swap --name=LogVol01 --vgname=VolGroup00 --size=256 --grow --maxsize=512   # Disable unneeded services services --disabled microcode_ctl,smartd   # Package Selection. Core and Base are always selected by default. # see: http://www.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/5.2/html/Installation_Guide/s1-kickstart2-packageselection.html %packages @ system-tools   %pre   %post #!/bin/sh   # Localize the resolv.conf. cat << EOF > /etc/resolv.conf domain subaquatic.net search subaquatic.net nameserver 192.168.0.223 nameserver 192.168.0.224 EOF   # Update to local ntp servers. sed -i -e "s/0.centos.pool.ntp.org/192.168.0.1/" /etc/ntp.conf sed -i -e "s/1.centos.pool.ntp.org/192.168.0.2/" /etc/ntp.conf sed -i -e "/2.centos.pool.ntp.org/d" /etc/ntp.conf chkconfig ntpd on service ntpd start   # Turn off unnecessary services chkconfig bluetooth off chkconfig cups off chkconfig gpm off

7. Create your VM.

   1 2 3 4

   #!/bin/sh virt-install -n ${1} -r 256 -f /var/lib/xen/images/${1}.img -s 4 --vnc --os-type=linux --os-variant=centos5 -l nfs:192.168.0.240:/opt/install/5.2 -x "ks=nfs:192.168.0.240:/opt/install/ks/centos52_text_pvm.ks" -p

8. Done!