Linux

This category contains posts related to Linux.

Ubuntu and Mac OS X Integration

Friday, January 2, 2009 in Interoperability, Linux, Macintosh by slowe | 11 comments

One of my projects over the Christmas holiday has been to rebuild the home network. You’d think I’d want to avoid that sort of thing since I’ve been on vacation from work for the past two weeks, but working on a home network is a different sort of beast than working on a network for a company. There are different challenges to be addressed.

My primary goals for this “home network rebuild” were the following:

  1. Rebuild the home server with a newer version of Linux, and possibly switch to a different distribution.
  2. Continue to provide DNS, DHCP, HTTP, and HTTP proxying/content filtering services to the home network.
  3. Continue to provide file sharing services via Server Message Block/Common Internet File System (SMB/CIFS) for Windows-based systems on the home network.
  4. Continue to have a shared music library available via Digital Audio Access Protocol (DAAP, aka iTunes) available to all systems on the home network.
  5. Provide file sharing services to Macs on the network via AppleTalk Filing Protocol (AFP) over TCP.

Ideally, I also wanted to enable Time Machine backups from my Mac laptop to the home server.

After doing a fair amount of research, I settled on the use of Ubuntu 8.04 LTS (“Hardy Heron”) for the server build. I didn’t go with Ubuntu 8.10 (“Intrepid Ibex”) simply because a) I already had 8.04.1 downloaded and burned to a CD; and b) Hardy Heron is an LTS release, so I should have better support over the long term.

I won’t bore readers with the details of the rebuild, but it took about a day or two to get a larger hard drive installed, Ubuntu installed and configured, and services running like DHCP (including some static reservations for certain computers, like my laptop and my iPhone), DNS (using MaraDNS, much easier to figure out than BIND), Apache, and Squid with SquidGuard. At this point, I’d completed tasks #1 and #2.

On to task #3. This was pretty simple and straightforward and easily accomplished via Samba, with nothing really unique to document here. The one interesting thing that I did find was a way to map the long usernames that Mac OS X uses (like “Bob Jones”) to a short username (like “bjones”). I used this command in the /etc/samba/smb.conf file:

username map = /etc/samba/usermap.conf

In this file, I simply placed lines that mapped the long usernames to the short usernames. Since Mac OS X defaults to the long username when connecting to the server, this allows me to simply type in a password and connect. I searched for hours trying to find a way to have Mac OS X supply my current password to the Samba server so that I wouldn’t get prompted, but could not find any information. If anyone knows the trick, I’d love to hear about it. After configuring a few shares, setting Linux permissions and the umask, and then testing from both my Mac laptop and a Windows laptop, task #3 was finished.

Task #4, providing an iTunes-compatible music server, was also really straightforward and easy. For this, I again selected Firefly Media Server, formerly mt-daapd, which I’d used before with great success. Again, nothing unusual or unique to document here, except for the potential interaction with Avahi (more on that later).

The final task was installing Netatalk to provide AFP over TCP file sharing services for Macs on the network. Fortunately for me, one of the sites I’d been using to help in my project pointed me to this blog post, which had a prebuilt package for Netatalk that included the necessary SSL support that Mac OS X requires. That saved me the trouble of compiling Netatalk from source. Following the steps in the Kremalicious article as well as information from this guide, I configured Netatalk to present a volume to use for Time Machine backups. It was at this point that I noticed a strange interaction with Avahi.

Avahi is a multicast DNS (what Apple calls Bonjour) server for Linux. It’s responsible for advertising services to multicast DNS-enabled systems, such as other Linux systems running Avahi or Macs. I’d installed Avahi earlier and used some service definitions from this article and this blog post to advertise Samba and HTTP. In addition, after installing Firefly, I’d noticed that Firefly starting advertising its presence automatically through Avahi with no service definition required.

Upon installing Netatalk, I also noticed that Netatalk started advertising automatically via Avahi as well, but using the IP address of the server. In order to be able to control how Netatalk advertises via Avahi, I had to change this line in /etc/avahi/avahi-daemon.conf:

enable-dbus=no

The suggestion for this change came from this thread on the Ubuntu Forums. Upon making the change and restarting Avahi, the odd Netatalk entry went away, but so did Firefly! To advertise both Netatalk and Firefly, I added a couple of files to /etc/avahi/services:

afpd.service:

<?xml version="1.0" standalone='no'?><!--*-nxml-*-->
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name replace-wildcards="yes">Intrepid Time Machine</name>
<service>
<type>_afpovertcp._tcp</type>
<port>548</port>
</service>
<service>
<type>_device-info._tcp</type>
<port>0</port>
<txt-record>model=AirPort</txt-record>
</service>
</service-group>

daapd.service:

<?xml version="1.0" standalone='no'?><!--*-nxml-*-->
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name replace-wildcards="yes">Home Music Server</name>
<service>
<type>_daap._tcp</type>
<port>3689</port>
</service>
</service-group>

After placing these two files into /etc/avahi/services, the new services starting advertising immediately. By the way, you’ll note the extra “device-info” entry in afpd.service; that sets the icon that will be used by Macs when they discover this service. I made mine look like a Time Capsule by using the setting listed above.

During this work with Avahi, I uncovered a couple of interesting things:

  • I found that restarting the Avahi daemon is actually more problematic than just leaving it alone; in order to make it start advertising services again after a restart, you’ll have to open one of the files in /etc/avahi/services and then close it again. No changes are necessary to the file, but opening it will kickstart Avahi into service advertisement.
  • Advertising SMB/CIFS and AFP together with the same name caused my Mac to ignore the SMB/CIFS services and only use AFP. I had to separate SMB/CIFS and AFP into different entries. Since I was using AFP really only for Time Machine backups and SMB/CIFS for everything else, it wasn’t really a big deal.
  • Advertising SMB/CIFS and RFB (Screen Sharing, as outlined here) works fine together.

At this point, task #5 was pretty much complete. I had originally envisioned providing file sharing services to the same locations via both AFP and SMB/CIFS, but in the end—partially because of the odd issue with AFP and SMB/CIFS being advertised together as described above—settled for using AFP only for Time Machine and SMB/CIFS for everything else.

Along the way, I also configured screen sharing as outlined here, and it seems to work just fine. I have to leave an account logged in to the Ubuntu server, but I can just lock the screen when I’m not logged in remotely.

The last step was to enable Time Machine backups to the Ubuntu server via AFP. First, the hack to enable non-Time Capsule network backups (this should be all on one line):

defaults write com.apple.systempreferences TMShowUnsupportedNetworkVolumes 1

I was then able to select the Ubuntu-hosted AFP volume for Time Machine backups. Attempting to run a Time Machine, backup, however, reported an error about being “unable to create the disk image”. Fortunately, a number of different articles pointed to the use of hdiutil to create the disk image, and that seemed to fix the problem. Time Machine is now backing up to the AFP volume, although I suspect I still have a few issues to work through (for example, it looks as though I have to keep the Time Machine AFP volume mounted in order for automatic backups to run).

So, when everything is said and done, I was able to achieve all my stated goals. The only outstanding issue that I haven’t yet figured out yet centers on automatic logins; for both AFP and SMB/CIFS, I get prompted for a password when connecting, even though I keep my password synchronized (manually) between my Mac and the Ubuntu server. Any tips on how to resolve that would certainly be appreciated.

Along the way, I found the following sites to be quite helpful. I’m sure there are others that I used along the way, and I apologize if I’ve failed to extend credit where credit is due.

Limit size of Time Machine backups on Time Capsule
Set up Time Machine on a NAS in three easy steps
Make Ubuntu a Perfect Mac File Server and Time Machine Volume
Five Guides on How to Integrate Ubuntu into a Mac OS X Network
Time Machine Wireless Backups without Time Capsule

Tags: , , , , , , ,

OpenVPN and mt-daapd

Friday, December 26, 2008 in Linux, Macintosh by slowe | 2 comments

I have a system at home with an “older” Linux distribution for mundane tasks like DHCP and content filtering on my broadband connection (no need for the kids to see something they shouldn’t be seeing, if you know what I mean). I’ve thought frequently about rebuilding it with a newer distribution, perhaps Ubuntu, but—to be perfectly honest—I’m just too lazy. It generally just works, and overall doesn’t require a great deal of care and feeding.

One of the various things this server does is run mt-daapd (now called Firefly Media Server, I believe)—basically it’s an iTunes server. I dump copies of the MP3′s generated when I rip a CD onto a mount point on this server, and anyone in the house with iTunes can connect and listen to them. They can’t copy them or sync them to their iPod, but they can listen to them. Since the kids and I share some similar tastes in Christian contemporary music, it works out well.

After being rather impressed with the Viscosity OpenVPN client and OpenVPN in general, I also setup OpenVPN on this Linux home server for those instances when I need to connect to my home network for some reason. I’ve only needed to use it a couple of times, but it’s worked great thus far.

While setting up some older laptops for the kids (one of their Christmas presents this year), I ran into an instance where iTunes for Windows wouldn’t connect to the shared music library on my Linux server. The problem seemed sporadic, and seemed to be somewhat limited to the Windows laptops I was setting up; I was still able to connect from my MacBook Pro. About the same time, one of my younger kids came up and told me that the Mac mini downstairs wouldn’t connect to the shared music library, either. Hmmm, something was going on.

Restarting the mt-daapd daemon didn’t change anything, nor did disabling the Windows Firewall on the laptops. Turning off the firewall on the Linux server didn’t change anything, either. I started to dig in a bit deeper then, and after a short while realized that Bonjour—which is used by iTunes to discover shared music libraries on other systems—was somehow picking up the wrong IP address. But where was this address coming from?

It didn’t take long after that to figure out that mDNSResponder on the Linux server was broadcasting the IP address of the server’s tun0 interface, which is used by OpenVPN. Because of various routing issues and limitations, this range of addresses isn’t reachable by the home LAN; hence, failures to connect to the mt-daapd server.

The fix, in my case at least, was to modify the /etc/init.d/mDNSResponder script to add the “-i eth0″ parameter to the command that started mDNSResponder. This forced mDNSResponder to broadcast only the IP address of eth0, the server’s primary Ethernet interface. Two changes needed to be made to the file:

  1. First, the “-i eth0″ needs to be added to the line that defines the variable $OTHER_MDNSRD_OPTS.
  2. Second, double quotes have to be added around the command that actually launces mDNSResponder using the runuser command. Otherwise, the parameter to mDNSResponder is interpreted as a parameter to runuser and causes an error.

Once I made these changes and restarted both mDNSResponder and mt-daapd, all the systems were able to connect to the shared music library without any further issues. Problem solved!

Tags: , , ,

Viscosity, a Mac OpenVPN Client

Wednesday, November 19, 2008 in Linux, Macintosh, Networking by slowe | 7 comments

So, I’ve been searching for a good way to establish connectivity to the lab at my office for a while. My first attempt was to work with one of our CCIEs at the office to establish an IPSec-based VPN against a Cisco router at the edge of the lab network, but despite our best efforts we couldn’t get the IPSec VPN client I was using, IPSecuritas, to connect and authenticate. No amount of fiddling would make it work.

We finally gave up on that and instead I went with an OpenBSD box to which I could establish an SSH session and then tunnel traffic from there. That worked reasonably well, especially after I discovered the GNU Screen utility. Talk about a handy little tool! Anyway, I continued using the SSH gateway for quite some time and I had resigned myself to living with the limitations.

Then a co-worker from the office casually mentions that he’s set up a Linux-based OpenVPN server on another subnet in the lab (we have a range of different subnets for different engineers in the lab). He, too, is a Mac user, but still running Mac OS X 10.4 on an older 13″ PowerBook G4 and using the Tunnelblick OpenVPN client. I thought to myself, “Hey, this might actually work!”

Alas, some additional research indicated that Tunnelblick had some stability problems under Leopard, which I’m running on my MacBook Pro. Bummer! I continued to research the issue but didn’t bother trying to use the OpenVPN server until just a couple of weeks ago when I uncovered Viscosity.

Viscosity is a shareware, Leopard-only OpenVPN client. It supports Growl notifications (which I very much like) and operates as a simple menu icon that easily allows you to connect or disconnect individual connections. Owing partially to how OpenVPN works, Viscosity uses (and includes) a TUN/TAP driver for OS X and creates a new TUN/TAP interface for every connection. This makes routing much easier and much more logical, in my opinion.

I’m so pleased with OpenVPN thus far, in fact, that I’m going to be setting up my own OpenVPN server here at the house.

My experience thus far has been quite positive. If you are looking for a good OpenVPN client for your Mac, Viscosity would be an excellent choice. At only $9 for a license, it’s well worth it.

Tags: , , , , ,

Where is Bluebear Going with Kodiak?

Friday, November 7, 2008 in Linux, Macintosh, Virtualization by slowe | 61 comments

I wouldn’t go so far as to say that I broke the news on Kodiak, but since my first post on Kodiak back in August, Bluebear has seen quite a bit of coverage around the Internet. Fellow virtualization blogger Duncan Epping of Yellow Bricks has discussed Kodiak a number of times (here are only a few):

Bluebear’s Kodiak!
Bluebear’s Kodiak, what’s all the fuss about…
Kodiak 0.02 coming out real soon…

That’s not to mention coverage by virtualization.com, Reuters.com, and numerous other bloggers, experts, and analysts.

But where is Bluebear headed with Kodiak? What is their vision? Well, I don’t speak for Bluebear, but I did want to share some insight I’d gathered during a conversation with one of the Kodiak developers. I was curious to know how VMware’s announcements of cross-platform vCenter Server and cross-platform VI Client at VMworld 2008 would affect Kodiak. Perhaps because of VMware’s market leadership, most people see Kodiak as only a cross-platform VI replacement. The truth is, according to my information, Kodiak’s true value lies elsewhere. While it can be viewed as a VI Client replacement, and while it does bring cross-platform functionality to the table, there’s more to it than just that. Thus, cross-platform support by VMware—while sorely needed for quite some time—shouldn’t really impact Kodiak all that much.

So what is the value of Kodiak beyond cross-platform support? Good question! Here’s a couple of points I gathered from of our conversation:

  • Multi-hypervisor management: One stated goal for Kodiak has always been to provide the ability to manage multiple, different hypervisors—not only ESX and ESXi, but also Xen, VirtualBox, etc. This is an area that only Microsoft is dabbling in with SCVMM, which will manage Hyper-V and ESX (via VirtualCenter only). Kodiak can manage ESX directly or via VirtualCenter.
  • Management via visualization: I don’t know if this is what drove Bluebear to use Adobe AIR or if it’s a result of using Adobe AIR, but the idea behind managing virtualization with Kodiak is more through visualization than anything else. Bluebear wants users to be able to respond quickly to potential issues by making it possible to see those potential issues instead of waiting for a notification or an e-mail that something’s wrong.

I’m sure that Bluebear has all sorts of super-secret stuff in the works that will further differentiate their product from VMware’s cross-platform VI Client, even though the two products aren’t intended to directly compete.

And, of course, this doesn’t take into account Bluebear’s hardware side, aka Koala, which doesn’t get nearly the same amount of attention as Kodiak. Personally, I’m kinda hoping that the Koala will end up affordable enough for me to pick one up, as I could surely use it to host various virtual servers at home for media streaming, home automation, etc. But I digress…

Anyway, I think I have a pile of beta invites for Kodiak, so if anyone is interested post a comment here and I’ll see what I can do. Then you can take a look at the product yourself—keeping in mind that it is a very early beta—and see what you think about the future of Kodiak.

Tags: , , , , ,

In the Works

Tuesday, July 15, 2008 in General, Linux, Storage, UNIX, Virtualization by slowe | 3 comments

I just wanted to provide a quick update on some articles I have in the works to be (hopefully) published soon.

  • I’m working on an article discussing when to use various NIC teaming configurations with VMware ESX. There are some significant repercussions here for a variety of network configurations, but especially so for configurations involving IP-based storage (iSCSI or NFS).
  • I’m finally wrapping up an article on the Xsigo I/O Director. I’ve been working a Xsigo VP780 in the lab for quite some time, and this article will provide a brief overview along with some tips and tricks.
  • I received word from HP that I should be getting a ProCurve switch in my lab soon, so that means I can provide a ProCurve-oriented version of this NIC teaming and VLAN trunking article.
  • I have some notes on using NetApp Open Systems SnapVault (OSSV) in conjunction with VMware ESX that I plan to post here as well.

New versions of the Linux and Solaris AD integration articles are on the way as well, starting with an update of the Solaris instructions to accommodate Solaris 10 Update 5 and Windows Server 2008.

If there’s anything else you’re interested in seeing, let me know in the comments. Thanks for reading!

UPDATE: The NIC utilization article is available here.

Tags: , , , , , , , ,

Isolation of Misbehaving VMs

Sunday, June 8, 2008 in Linux, Virtualization by slowe | No comments

I came across an interesting paper discussing how various virtualization environments protect well-behaved VMs from misbehaving VMs. The paper is available here.

In the tests described in the paper, researchers used virtual machines on Xen 3.0 (the open source hypervisor not the commercial XenServer product, as far as I can tell), VMware Workstation 5.5, and “Open Solaris 10” (quotes mine). As pointed out in the paper, these three environments represent paravirtualization, full virtualization, and OS virtualization (or containers). I’m not sure if the researchers actually meant OpenSolaris; I suspect not since that’s a very recent release. Instead, I believe they probably just meant Solaris 10. On Xen and VMware Workstation, both running under Linux, they used Linux-based VMs; on Solaris, they used additional instances of Solaris. Each VM or instance ran Apache 2 and was tested using physical clients to connect to the HTTP server in each VM.

The results are interesting; VMware showed the best protection of well-behaved VMs from a misbehaving VM, followed by Xen with Solaris Containers providing the least protection. The level of protection was tested using a memory consumption stress test, a CPU stress test, a disk I/O stress test, and a network I/O stress test. I’d encourage you to have a look at the full paper for all the details.

These results are very interesting, but I wonder how much the results would change if we were to use VMware’s ESX server product line instead of one of the hosted products like VMware Workstation? As a product representative of “full virtualization” solutions, I’d be curious to know if the results seen with VMware Workstation were also seen with ESX.

In any case, the results are a validation of what we, as consultants, have been talking about: full virtualization provides the best isolation of well-behaved workloads from ill-behaved workloads, preventing a workload in one VM from affecting other workloads due to mishandling of CPU, RAM, disk, or network resources. As the researchers conclude in the paper, “…it is clear that VMware completely protects the well-behaved VMs under all stress tests. Its performance is sometimes substantially lower for the misbehaving VM, but in a commercial hosting environment this would be exactly the right tradeoff to make.”

Tags: , , , , ,

Virtualization Short Take #7

Wednesday, May 7, 2008 in Linux, Virtualization by slowe | 3 comments

While at VMware Partner Exchange 2008 in San Diego this week, a few virtualization- or VMware-related headlines have popped in and caught my attention:

  • Via Eric, I learned that vimsh has morphed into vmware-vim-cmd in version 3.5. Xtravirt’s updated document can be found here.
  • Via Duncan, it looks as if a number of patches for ESX/ESXi 3.5 have been released. Time to put Update Manager through its paces…
  • As several other bloggers have mentioned, VMware is now discussing in much greater detail the VMware Certified Design Expert (VCDX) certification. I suspect that the BC/DR and VI architectural workshops that are taking place at Partner Exchange this week—which incorporate a fairly intensive review and presentation process—are prepping professionals for the rigors they will have to endure to achieve VCDX. Bring it on!
  • Sys-Con Media—which has republished a couple of my articles—published this interesting article from a KVM developer regarding the placement and architecture of I/O and I/O drivers in various virtualization solutions. Of course, he feels that KVM is the best, but that’s not necessarily surprising.
  • Author David Davis has published a brief blog entry at SearchVMware.com that summarizes the use of NIC teaming and load balancing with VMware ESX Server. This blog post is particularly useful since it references some of my own content.

In a future post, I’ll probably delve into more detail an interesting and thought-provoking article from DCS titled “Microsoft Unveils GSNW 2.0″. It’s an interesting take on the (possible) repetition of history. In the meantime, I’d love to hear other people’s thoughts on this article—go read it, then come back here and add your thoughts in the comments below.

Tags: , , , ,

AD Integration Tip: Dealing With More Than 1,000 Users

Friday, April 11, 2008 in Interoperability, Linux, Microsoft by slowe | 8 comments

Reader Scott Merrill pointed out something to me in an e-mail regarding a Registry change that might be necessary in some Active Directory integration scenarios:

Finally, I would like to share one registry change that we’ve found to be necessary in our AD integration. By default, the MS LDAP server only returns 1,000 results. As a university department with more than 1000 active students, this limitation has caused us some frustration.

This KB article shows how to increase the number of results returned in a query: http://support.microsoft.com/kb/315071

We recently set MaxPageSize to 5,000. I don’t know if this will
introduce additional problems down the road, but at least it lets me fully enumerate all our AD users from a Linux machine with `getent passwd`.

If you have an Active Directory domain with more than 1,000 users in the DN specified in your LDAP configuration, then this is a Registry change you’ll want to investigate. Otherwise, you could find that your UNIX/Linux servers aren’t able to fully enumerate all the users in the domain.

Thanks, Scott!

Tags: , , , , ,

Unity Coming to VMware Workstation 6.5

Thursday, April 3, 2008 in Linux, Macintosh, Virtualization by slowe | 2 comments

The recently announced beta for VMware Workstation 6.5 includes support for Unity, a technology that was originally introduced with VMware Fusion. Unity allows for seamless windowing of VMs; that is, windows from VMs and windows from the host can be seamlessly intermingled so that the distinction between the virtualized OS and the host OS almost disappears. This is the continued emergence of the application agnosticism I discussed near the end of 2006 and furthers the possibility of collections of VMs becoming our new working environments.

It’s very cool technology, and it’s also very exciting to see VMware bringing this technology to VMware Workstation. I hope that VMware also takes some of the new Unity features—like the badge that helps identify which windows belong to a VM and to which VM they belong—and backport that to future versions of Fusion as well. Of course, I’d love to see all of Workstation’s functionality ported over to Fusion, but that’s just me.

There’s more information on Workstation’s new Unity functionality from Christian Hammond, a VMware developer, on his blog.

Tags: , , , ,

LDAP Signing in AD Integration Situations

Monday, March 17, 2008 in Interoperability, Linux, Security by slowe | 5 comments

Reader Jeffrey Spear contacted me a while back with some problems he was experiencing in trying to integrate some Linux systems into Active Directory. Basically, Kerberos was working but LDAP wasn’t. He was able to use “kinit <AD username>” to generate a Kerberos ticket, but using the “getent passwd <AD username>” was not working. No error messages, nothing; it just didn’t work.

We traded e-mails back and forth for a while, and eventually he found the solution himself:

We work with a locked down version of OSs and in this case a domain policy on the Windows server was preventing the RHEL machines from accessing account info.  The policy was “Domain controller: LDAP server signing requirements” which was set to “Require signature.”  When I changed this setting to “None” it worked great.

This is good information and important to keep in mind; I’ll be sure to incorporate this into the next revision of the Linux-AD integration instructions. (No, I don’t have a timeframe on when that will be!)

In the meantime, if anyone has a workaround for this problem that will allow LDAP to work with signatures enabled or required, I’d love to hear it. Speak up in the comments below!

Tags: , , , , ,

« Older entries § Newer entries »