Lowing VirtualBox priorities

One of the things I’d really like is process priorities for virtual box. In the forum I posted a couple of shell commands that I regularly type… which gets a bit tedious, following a recent article on lifehacker reviewing mac text expanding I’ve been prompted to automate a few things… below is a little shell script to lower the priority (renice) of all running virtual machines.

The advantage of doing this is that your host machine stays snappy, responsive and won’t get too over-loaded by jobs on your VMs!

ps -xo pid,command | grep -v grep | grep startvm | while read line ;
        procID=`echo $line | awk '{print $1}'`
        sudo renice +10 -p $procID

The above code works on a mac; although I haven’t tested it, I recon to get it running on Linux you need to update the PS command, by swapping the x for an e… like this….

ps -eo pid,command | grep -v grep | grep startvm | while read line ;
        procID=`echo $line | awk '{print $1}'`
        sudo renice +10 -p $procID

Have fun, suggestions and improvements welcome.

CentOS/Redhat IPSEC and EC2

So it turns out my 5 minute vpn doesn’t work in EC2 because the ESP/AH protocols (50 and 51) are blocked on the AWS network.

This is no big deal tho, as NAT-T allows one to tunnel IPSEC over UDP… however getting it to work on CentOS required a bit of a hack.

If you have already tried setting up an IPSEC vpn, shut it down with ifdown ipsec1 and remove your /etc/racoon/ (or whatever IP yours is).

To start the hack on BOTH boxes, you need to edit /etc/sysconfig/network-scripts/ifup-ipsec. Around line 215 you need to insert nat_traversal force;… like this….


        case "$IKE_METHOD" in
              cat >> /etc/racoon/$DST.conf << EOF
        my_identifier address;
        proposal {
                encryption_algorithm $IKE_ENC;
                hash_algorithm $IKE_AUTH;
                authentication_method pre_shared_key;
                dh_group $IKE_DHGROUP;


        case "$IKE_METHOD" in
              cat >> /etc/racoon/$DST.conf << EOF
        my_identifier address;
        nat_traversal force;
        proposal {
                encryption_algorithm $IKE_ENC;
                hash_algorithm $IKE_AUTH;
                authentication_method pre_shared_key;
                dh_group $IKE_DHGROUP;

Again, on both boxes update your /etc/sysconfig/network-scripts/ifcfg-ipsec1 files so that AH is disabled… because AH doesn’t like NAT… like this….

[root@CentOS2 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ipsec1 
[root@CentOS2 ~]#

On your iptables policy make sure that UDP 500 and UDP 4500 are permitted and volia.

# tcpdump -n -i eth1 port not 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
20:26:49.257590 IP > UDP-encap: ESP(spi=0x08de7c32,seq=0xa), length 116
20:26:49.261076 IP > UDP-encap: ESP(spi=0x03787bd0,seq=0xa), length 116
20:26:50.260942 IP > UDP-encap: ESP(spi=0x08de7c32,seq=0xb), length 116
20:26:50.262939 IP > UDP-encap: ESP(spi=0x03787bd0,seq=0xb), length 116
20:26:51.261298 IP > UDP-encap: ESP(spi=0x08de7c32,seq=0xc), length 116
20:26:51.264974 IP > UDP-encap: ESP(spi=0x03787bd0,seq=0xc), length 116
20:26:52.262289 IP > UDP-encap: ESP(spi=0x08de7c32,seq=0xd), length 116
20:26:52.265488 IP > UDP-encap: ESP(spi=0x03787bd0,seq=0xd), length 116
20:26:53.264008 IP > UDP-encap: ESP(spi=0x08de7c32,seq=0xe), length 116
20:26:53.267003 IP > UDP-encap: ESP(spi=0x03787bd0,seq=0xe), length 116
20:26:54.265655 IP > UDP-encap: ESP(spi=0x08de7c32,seq=0xf), length 116
20:26:54.267264 IP > UDP-encap: ESP(spi=0x03787bd0,seq=0xf), length 116
20:26:55.267459 IP > UDP-encap: ESP(spi=0x08de7c32,seq=0x10), length 116
20:26:55.269678 IP > UDP-encap: ESP(spi=0x03787bd0,seq=0x10), length 116
14 packets captured
14 packets received by filter
0 packets dropped by kernel

IPSEC VPN Tunnelling over UDP…. done!

5 Minute CentOS/RHEL VPN

I’m looking at running two servers on EC2; as we all know the most important thing about running services in the cloud is encryption!

Whilst googling on how to setup a host-to-host IPSEC VPN I was surprised at how easy it is…

On Host1 (…

[root@CentOS1 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ipsec1 
[root@CentOS1 ~]#
[root@CentOS1 ~]# cat /etc/sysconfig/network-scripts/keys-ipsec1 
[root@CentOS1 ~]#
[root@CentOS1 ~]# ifup ipsec1

On host2 (…

[root@CentOS2 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ipsec1 
[root@CentOS2 ~]#
[root@CentOS2 ~]# cat /etc/sysconfig/network-scripts/keys-ipsec1 
[root@CentOS2 ~]#
[root@CentOS2 ~]#ifup ipsec1

… done!!!

[root@CentOS1 ~]# tcpdump -n -i eth1 host
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
09:46:37.306292 IP > AH(spi=0x0aff2b10,seq=0x203): ESP(spi=0x00a0a3cc,seq=0x203), length 84
09:46:37.310197 IP > AH(spi=0x09f82154,seq=0x203): ESP(spi=0x098f0ff9,seq=0x203), length 68
09:46:38.175048 IP > AH(spi=0x0aff2b10,seq=0x204): ESP(spi=0x00a0a3cc,seq=0x204), length 84
09:46:38.179017 IP > AH(spi=0x09f82154,seq=0x204): ESP(spi=0x098f0ff9,seq=0x204), length 68
09:46:39.313583 IP > AH(spi=0x0aff2b10,seq=0x205): ESP(spi=0x00a0a3cc,seq=0x205), length 84
09:46:39.316427 IP > AH(spi=0x09f82154,seq=0x205): ESP(spi=0x098f0ff9,seq=0x205), length 68

6 packets captured
6 packets received by filter
0 packets dropped by kernel
[root@CentOS1 ~]#

Now this is a simple IKE pre-shared key vpn, you might want to google for using certificates for stronger authentication, you can also edit /etc/racoon/racoon.conf to change your IPSEC parameters.

Reference: http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-vpn.html

UPDATE: To make this work in EC2, you need to enable NAT-T see my hack here!

SELINUX and OSSEC IPTables error

OSSEC is my favourite linux HIDS however now that I’m running a SELINUX secured web server I noticed that my active responses were not working after a reboot.

After enabling SELINUX, I started getting alerts about the following problem in my messages file….

Nov 11 12:16:22 amy kernel: type=1400 audit(1289477782.569:8): avc:  denied  { read write } for  pid=2551 comm="iptables" path="socket:[5261]" dev=sockfs ino=5261 scontext=system_u:system_r:iptables_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_dgram_socket

This appears to be ossec trying to update iptables, but failing as they’re in different contexts… now I’m no selinx expert but this CentOS Wiki Page helped… run the following command which will create osseciptables.pp in the current directtory…

root@amy# grep iptable /var/log/messages | audit2allow -M osseciptables

This creates a new binary module that can be installed with….

/usr/sbin/semodule -i osseciptables.pp 

You can view current selinux modules with …

/usr/sbin/semodule -l

If you want to see what is being created by audit to allow, try the following…

root@amy# grep iptable /var/log/messages | audit2allow -m osseciptables

module osseciptables 1.0;

require {
        type iptables_t;
        type initrc_t;
        class unix_dgram_socket { read write };

#============= iptables_t ==============
allow iptables_t initrc_t:unix_dgram_socket { read write };

I hope this helps some future googler!

CentOS 5.5 EC2 AMI … for sale.

Whilst learning about Amazon Web Services I noticed that there wasn’t a clean bare-bones version of my favourite server linux – CentOS – to use.

There are various public images available but they all have stuff in there I don’t want!

I have built a 1Gb image of CentOS with the minimum base feature-set… i.e. only the packages you get from typing…

yum groupinstall base

Since I’m not American I can’t sell this using Amazons DevPay program so I’m offering it here… since no-one replied to this post I figure I’m allowed!

I have a CentOS filesystem file (which you can mount via the loopback filesystem) which can be booted within EC2.

To use the file as a private AMI three further steps are required…

Each of these are commands from the AWS tools; all of which I’m happy to do for someone but they would need to handover some secret AWS credentials (it’s your whether you’re comfortable with that or not!).

If you’re interested contact me, I was thinking about £10 ($10->$15USD depending on the exchange rate) was a fair price… obviously you’d paying me for the my time, not the linux or CentOS distribution as they’re free and opensource :-)

Gnome / Nautilus going round in circles

I wonder if anyone else finds this a bit irritating…

This new “spatial” user interface presents just one window for each folder, and remembers their location and size.

Gnome 2.6 Release Notes


Nautilus features a number of user interface changes including a new split view mode and is now set to browser mode by default, replacing spatial mode.

Gnome 2.30 Release Notes

Is this progression or development in circles?

Fedora 10 & ffmpegthumbnailer

I’ve recently upgraded from F7 to F10 and was surprised to see that ffmpegthumbnailer hasn’t made it into the yum repo’s yet!

As I use ffmpegthumbnailer for PS3 Video thumbnails I needed to find a solution to this.

If I had the time I’d knock up a .spec file & rpm, but for the time being I thought I’d post my bodge…. NUMBER ONE, if you’ve never typed “configure;make;make install” before you need to install the development tools.

sudo yum groupinstall “development tools”

Next pick up a couple of extra dependencies…

sudo yum install libpng libpng-devel ffmpeg ffmpeg-devel

You should now find that, if you download the source, unpack it – gunzip ffmpegthumbnailer-1.5.0.tar.gz;tar -xvf ffmpegthumbnailer-1.5.0.tar and cd ffmpegthumbnailer-1.5.0 hopefully you can complete ./configure without any errors.

If you try make at this point it’ll probably fail with errors, this is how I fixed that….

cd /usr/include/ffmpeg/
ln -s libavcodec/avcodec.h ./
ln -s libavformat/avformat.h ./
ln -s libswscale/swscale.h ./
ln -s libavformat/avio.h ./

Now you can… get back to the build

cd ~/ffmpegthumbnailer-1.5.0
sudo make install

If all has gone well you should have a working install :)

Evolution in Gnome 2.26

I’ve just noticed this in the Gnome 2.26 Release Notes

2.3. Evolution Evolves its Migration from Windows

GNOME’s e-mail and groupware suite, Evolution, has gained two important features for helping users who are migrating to GNOME from Microsoft Windows environments.

First is the ability to import Microsoft Outlook Personal Folders (PST files) directly in Evolution. E-mail, contacts, appointments, tasks and journal entries are supported. Previously, the files had to be imported via a third-party utility, such as Thunderbird on Windows.

Second is support for Microsoft Exchange’s MAPI protocol. This is the protocol that Microsoft Outlook uses to communicate with Exchange. Previously, Evolution only supported Exchange’s SOAP protocol, which is not available on all Exchange servers. This support significantly improves Evolution’s integration with Exchange servers.

All I can say is WOW!

Linux users will have known that MAPI support into gnome has been on the cards for a while, but .pst access is just brilliant!!

Monit Alerts via Twitter

In a bid to reduce the size of my inbox, I’ve decided to move monit alerts to twitter.
Sadly monit doesn’t support any kind of alert scripting, but the solution is simple.

  1. Create a new twitter account, something like “mymonitbot” and make the feed private.
  2. Set your “normal” twitter account to follow “mymonitbot”
  3. Now signup for an account with twittermail and give them mymonitbot’s credentials.
  4. Edit /etc/monit.conf, and change set alert to your new twittermail e-mail address
    If necessary edit monit’s message layout
  5. restart monit

After a few seconds you’ll get a tweet from your monit bot saying that monit was re-started :)

Tomboy on Windows

Recently the Tomboy Notes has been released for windows. This is great news, as my current work build is windows and I have a shed load of notes stuck on my linux box at home.

I found this didn’t work 1st time, so these are the steps.

You should now be able to run tomboy… it appears in your system tray.

Importing Notes.
If like me you have a linux box with a load of notes you want to read, then follow these steps.

On your linux box:

  • cd into $HOME/.tomboy
  • copy all .note files

Transfer the .note files to your windows box.

On your Windows box:

  • Exit tomboy
  • cd into C:\Users\<USERNAME>\AppData\Roaming\tomboy
  • paste all your .note files

Start Tomboy & Enjoy!


Load balance anything with HAProxy

Recently I wanted to load balance a TCP service i.e. not http, in the past I’ve used ultramonkey but there doesn’t seem to be any maintained Redhat/Centos packages.

After some googling I found that haproxy can balance non-http services but examples of non-http configurations are few and far between, this blog post lead me to my solution, so after the jump I have a haproxy.cfg which will load balance smtp round-robin style across 4 servers, you also get a webstats interface listening on http://IP:8080/haproxy?stats (username = me, password = password).

By changing the port numbers from 25 (SMTP) you can effectively load balance any TCP app :)

Continue reading

CS-Mars V6.0 in VMWARE (Franken Mars)

Emulating software is a very grey area for Cisco, they make their money by selling boxes so I guess officially Cisco don’t approve of things like GNS3 and PEMU. BUT cisco make a lot of their money from techies training in Cisco products who then get their management to buy boxes their certified in, as a result cisco appear to turn a blind eye to emulating their products for personal training purposes :)

So, I’m installing a CS-Mars box in the next couple of weeks and wanted to know what’s new in version 6. How to setup version 4 is already document here in this franken cs-mars guide, the thing is to upgrade from 4 to 6 is a re-image of the box. Upon re-imaging my VMWare appliance I realised that the lilo commands linux rw init=/bin/bash didn’t appear to work anymore. As a result I have a v6 mars box I can’t use due to a licensing problem.

To get this working read through both the old instructions, and what I have written.

The init/boot sequence of a mars box looks very much like a centos/fedora boot, so I thought up a cunning new plan. I downloaded the 1st installation CD of centos 5, after booting this CD instead of hitting “enter” and running the anaconda installer I typed linux rescue, this boots my appliance into a root linux shell. (See Update Below, boot from CentOS straight after MARS installs, don’t let MARS boot!)

What happened next was a little hit and miss, if you’re lucky you can type

mkdir /mnt/opt
mount /dev/md2 /mnt/opt

you can then

cd /mnt/opt/janus/release/bin
mv pnlicense pnlicense.org
echo "/bin/echo d84f7ceaf50f9c45683e2efb77752d4f:License verified:4:0:0:4" > pnlicense
chmod +x pnlicense

as per the old documentation.

If you’re unlucky this “mount” will fail, in this case ls /mnt/sysimage if you can’t see any files issue mount /dev/md1 /mnt/sysimage otherwise the plan is to change the root password so that we can edit the pnlicense file later.

Using vi edit /mnt/sysimage/etc/passwd, and change…




Next, setup your editor variable, and edit the suders file…

EDITOR=/mnt/sysimage/bin/vi;export EDITOR
visudo -f /mnt/sysimage/etc/suders

and add..

pnadmin ALL=(ALL)       NOPASSWD: ALL

Reboot by exiting the shell.

After the reboot login as pnadmin, you should now get a standard linux bash shell rather than the “hardened” cisco one. Change the root password…

sudo su
passwd root

And put /etc/password back to how it was. Now from the “pn shell” you can type expert and your root password will work and you’ll have root access to your mars box. With you new root access you can change the pnlicense file as described before and complete the setup process. :cool:

UPDATE: As commented by secopt below, to make this work you need to boot from the CentOS disk straight after the MARS image as installed, if you let the MARS OS boot (and start doing the oracle thing) then for some reason the mount commands don’t work!

UPDATE2: The mount command doesn’t work if you let MARS boot the 1st time as it changes the superblock, rokov has posted the following work around below…

  1. Assemble RAID
    mdadm –assemble /dev/md0 /dev/hda3 /dev/hdc3
  2. Change ext3 superblock magick number
    dd if=/dev/md0 skip=2 count=1 | sed ’s/\x5A\x7B/\x53\xEF/’ | dd of=/dev/md0 seek=2 count=1
  3. Mount partition
    mount /dev/md0 /mnt
  4. Do anything you want with it.
  5. Unmount partition and change magic back
    umount /mnt && d if=/dev/md0 skip=2 count=1 | sed ’s/\x53\xEF/\x5A\x7B/’ | dd of=/dev/md0 seek=2 count=1