Thursday, September 29, 2011

Linux Directory Structure Explained


One of the largest hurdles with learning Linux is always the directory structure. While not complicated it is very different from any Windows based operating system which is where most new Linux learners come from. Here's a quick explanation of the most important directories on a Linux distribution.
/bin - This directory contains most of your non-privileged system commands such as ls, mkdir, rm, etc.
/boot - Contains the systems boot image, bootloader, and the kernel
/dev - Symbolic links to system devices such as optical and removable drives
/etc - Contains all system configuration files and most configurations for installed packages
/home - Contains a directory for each user and contains profile information
/lib - Contains dynamic libraries and modules for the Linux system and installed packages
/media - Contains mount points for optical drives and removable media
/mnt - Used as a location for mounted drives and shares
/opt - Contains user installed packages and custom software not handled by the system or package manager
/proc - An interface between the kernel and the system, useful for diagnostics and system information
/root - The root superuser's home directory
/sbin - Contains privileged commands that are usually run as superuser (root/sudo)
/sys - An interface between the kernel and the system, used for modifying system settings
/tmp - A location for temporary files such as sessions on a web server
/usr - Contains most installed packages that are not part of the system, user installed programs
/usr/bin - Contains commands related to user installed packages in /usr
/usr/sbin - Contains privileged commands related to user installed packages in /usr
/var - Contains files that change often or accessed frequently
/var/log - Contains all system logs and most logs generated by installed packages
There are more default directories on a fresh Linux install but these are the main important locations. Please take special care when interacting with the /boot or /sys directories as a small error could make the system unstable or unable to boot.

Installing KVM and Creating a Debian VM in OpenIndiana 151a


KVM (Kernel-based Virtual Machine) was developed in Linux as a very speedy in-kernel virtualization solution that takes advantage of Intel’s VT and AMD’s V technology. Recently, it was ported to Open Solaris derived operating systems such as Joyent’s SmartOS and Open Indiana.  Currently, libvirt is not supported so creating a virtual machine is a bit of a manual process.  In this post, I will describe my process for creating KVM based virtual machines on my Open Indiana 151a server.  I will describe how to install a Debian Linux system.
First download an install ISO of the operating system you’d like to install.  I am fortunate enough to work for a university with access to Internet2 and I like to download ISO’s from the University of Texas.  Here is their Debian mirror.
Now, on your Open Indiana 151a server, install the KVM module, application, and driver packages by executing:
# pkg install driver/i86pc/kvm \
system/qemu \
system/qemu/kvm
Next, if you’re using ZFS, create a zvol for your virtual machine hard drive. On my server, I have a mirrored zpool named local that I plan to install my virtual machines on.
# zpool status
pool: local
state: ONLINE
scan: none requested
config:

NAME STATE READ WRITE CKSUM
local ONLINE 0 0 0
mirror-0 ONLINE 0 0 0
c2d1 ONLINE 0 0 0
c3d1 ONLINE 0 0 0
c5d0 ONLINE 0 0 0

errors: No known data errors

pool: rpool
state: ONLINE
scan: none requested
config:

NAME STATE READ WRITE CKSUM
rpool ONLINE 0 0 0
c4d0s0 ONLINE 0 0 0

errors: No known data errors
local is one vdev of three mirrored 1TB drives as recommended for home servers in this great blog post by Constantin Gonzales. I want to create my virtual hard drives on this zpool.
# zfs list -r local
NAME USED AVAIL REFER MOUNTPOINT
local 256G 657G 31K /local
local/shared 256G 657G 172G /shared
local/shared/Virtual 83.8G 657G 33K /shared/Virtual
local/shared/Virtual/ISO 3.56G 657G 3.56G /shared/Virtual/ISO
local/shared/Virtual/KVM 80.2G 657G 43K /shared/Virtual/KVM
I decided to create a 10 gigabyte volume for my Debian virtual machine hard disk to live on.  Here’s the command I used to create it:
# zfs create -p -V 10G local/shared/Virtual/KVM/debian/disk0
The -p option creates parent directories (if they don’t already exist) underneath the given ZFS dataset path. -V tells ZFS this dataset is a zvol and 10G says it’s going to be 10 gigabytes in size. You can see the new zvol by executing the zfs list again:
# zfs list -r local
NAME USED AVAIL REFER MOUNTPOINT
local 292G 622G 31K /local
local/shared 292G 622G 174G /shared
local/shared/Virtual 117G 622G 33K /shared/Virtual
local/shared/Virtual/ISO 26.7G 622G 26.7G /shared/Virtual/ISO
local/shared/Virtual/KVM 90.6G 622G 46K /shared/Virtual/KVM
local/shared/Virtual/KVM/debian 10.3G 622G 31K /shared/Virtual/KVM/debian
local/shared/Virtual/KVM/debian/disk0 10.3G 632G 16K -
Now, we need to create a virtual network interface for the virtual machine to use.  Use dladm to list your current virtual network devices:
# dladm show-vnic
LINK OVER SPEED MACADDRESS MACADDRTYPE VID
vnic0 igb0 1000 0:0:dc:79:f6:e3 fixed 0
vnic1 igb0 1000 0:0:dc:79:f6:e4 fixed 0
vnic2 igb0 1000 0:0:dc:79:f6:b8 fixed 0
If you do not have any virtual network devices, nothing will be listed. Go ahead and create a new one for your new Debian instance using the physical network interface the virtual machine will be communicating on (mine is igb0, your’s could be e1000g0, etc…):
# sudo dladm create-vnic -l igb0 vnic3
List the virtual network interfaces once again and make sure your new device is listed:
# dladm show-vnic
LINK OVER SPEED MACADDRESS MACADDRTYPE VID
vnic0 igb0 1000 0:0:dc:79:f6:e3 fixed 0
vnic1 igb0 1000 0:0:dc:79:f6:e4 fixed 0
vnic2 igb0 1000 0:0:dc:79:f6:b8 fixed 0
vnic3 igb0 1000 2:8:20:28:d8:67 random 0
Now create a start-up script for your new virtual machine. Below is the simple script I use to start my virtual machines. For this new Debian instance, I set the CD and HD variables to the Debian install ISO and my new zvol respectively. The VNIC variable is set to the new virtual network interface we created above. I set the memory to 1024MB and the VNC session number to 5.
#!/usr/bin/bash

VNIC=vnic3
HD=/dev/zvol/dsk/local/shared/Virtual/KVM/debian/disk0
CD=/shared/Virtual/ISO/debian-504-i386-netinst.iso
VNC=5
MEM=1024

MAC=`dladm show-vnic -po macaddress $VNIC`

/usr/bin/qemu-kvm \
-boot cd \
-enable-kvm \
-vnc 0.0.0.0:$VNC \
-smp 2 \
-m $MEM \
-no-hpet \
-localtime \
-drive file=$HD,if=ide,index=0 \
-drive file=$CD,media=cdrom,if=ide,index=2 \
-net nic,vlan=0,name=net0,model=e1000,macaddr=$MAC \
-net vnic,vlan=0,name=net0,ifname=$VNIC,macaddr=$MAC \
-vga std
The /usr/bin/qemu-kvm executable requires root level permissions so I run the script with sudo. Like this:
# sudo ./start-debian.sh
If all goes well, the virtual machine should boot. A windowed screen with a graphical interface will not appear like in VirtualBox or VMWare. You’ll only see a bunch of text like this scroll by:
...
drive 0x000fda80: PCHS=16383/16/63 translation=lba LCHS=1024/255/63 s=20971520
Running option rom at cb00:0003
ebda moved from 9fc00 to 9f400
Returned 53248 bytes of ZoneHigh
e820 map has 7 items:
0: 0000000000000000 - 000000000009f400 = 1
1: 000000000009f400 - 00000000000a0000 = 2
2: 00000000000f0000 - 0000000000100000 = 2
3: 0000000000100000 - 000000003fffd000 = 1
4: 000000003fffd000 - 0000000040000000 = 2
5: 00000000feffc000 - 00000000ff000000 = 2
6: 00000000fffc0000 - 0000000100000000 = 2
enter handle_19:
NULL
Booting from Hard Disk...
Boot failed: not a bootable disk

enter handle_18:
NULL
Booting from DVD/CD...
150MB medium detected
Booting from 0000:7c00
From your workstation, use a VNC client (I use TightVNC) and connect to your KVM server using the session number you setup above. On my Linux workstation, I run:
jgrafton@pod:~$ vncviewer orion:5
If all has gone well and your KVM server firewall is not blocking port 5905, (5900 + your VNC session number) the VNC client should connect to your KVM server and you should see something similar to this screenshot:

Install Debian and enjoy your new KVM virtual machine!  Remember, you’ll need a separate VNIC and VNC session number for each new virtual machine you create.  Have fun!
Let me know if it works for you by either leaving comments or tweeting me at @Graftolistic.

PHP-FPM/Nginx Security In Shared Hosting Environments (Debian/Ubuntu)


If you want to use nginx and PHP-FPM for shared hosting environments, you should make up your mind about security. In Apache/PHP environments, you can use suExec and/or suPHP to make PHP execute under individual user accounts instead of a system user like www-data. There's no such thing for PHP-FPM, but fortunately PHP-FPM allows us to set up a "pool" for each web site that makes PHP scripts execute as the user/group defined in that pool. This gives you all the benefits of suPHP, and in addition to that you don't have any FTP or SCP transfer problems because PHP scripts don't need to be owned by a specific user/group to be executed as the user/group defined in the pool.
I do not issue any guarantee that this will work for you!

1 Preliminary Note

I use a vhost called www.example.com/example.com here with the document root /var/www/www.example.com/web.
You should have a working LEMP installation, as shown in these tutorials:
A note for Ubuntu users:
Because we must run all the steps from this tutorial with root privileges, we can either prepend all commands in this tutorial with the string sudo, or we become root right now by typing
sudo su

2 What We Have So Far

On Debian/Ubuntu, PHP-FPM's pool directory is /etc/php5/fpm/pool.d/ - this is where new pools will be created. The php.ini used by PHP-FPM is /etc/php5/fpm/php.ini. There's one pool already, www.conf - let's take a look at it:
vi /etc/php5/fpm/pool.d/www.conf
; Start a new pool named 'www'.
; the variable $pool can we used in any directive and will be replaced by the
; pool name ('www' here)
[www]

; Per pool prefix
; It only applies on the following directives:
; - 'slowlog'
; - 'listen' (unixsocket)
; - 'chroot'
; - 'chdir'
; - 'php_values'
; - 'php_admin_values'
; When not set, the global prefix (or /usr) applies instead.
; Note: This directive can also be relative to the global prefix.
; Default Value: none
;prefix = /path/to/pools/$pool

; The address on which to accept FastCGI requests.
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses on a
; specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = 127.0.0.1:9000

; Set listen(2) backlog. A value of '-1' means unlimited.
; Default Value: 128 (-1 on FreeBSD and OpenBSD)
;listen.backlog = -1

; List of ipv4 addresses of FastCGI clients which are allowed to connect.
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
; must be separated by a comma. If this value is left blank, connections will be
; accepted from any ip address.
; Default Value: any
;listen.allowed_clients = 127.0.0.1

; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions.
; Default Values: user and group are set as the running user
; mode is set to 0666
;listen.owner = www-data
;listen.group = www-data
;listen.mode = 0666

; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
; will be used.
user = www-data
group = www-data

; Choose how the process manager will control the number of child processes.
; Possible Values:
; static - a fixed number (pm.max_children) of child processes;
; dynamic - the number of child processes are set dynamically based on the
; following directives:
; pm.max_children - the maximum number of children that can
; be alive at the same time.
; pm.start_servers - the number of children created on startup.
; pm.min_spare_servers - the minimum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is less than this
; number then some children will be created.
; pm.max_spare_servers - the maximum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is greater than this
; number then some children will be killed.
; Note: This value is mandatory.
pm = dynamic

; The number of child processes to be created when pm is set to 'static' and the
; maximum number of child processes to be created when pm is set to 'dynamic'.
; This value sets the limit on the number of simultaneous requests that will be
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
; CGI.
; Note: Used when pm is set to either 'static' or 'dynamic'
; Note: This value is mandatory.
pm.max_children = 50

; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
;pm.start_servers = 20

; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'

; Note: Mandatory when pm is set to 'dynamic'
pm.min_spare_servers = 5

; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 35

; The number of requests each child process should execute before respawning.
; This can be useful to work around memory leaks in 3rd party libraries. For
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default Value: 0
;pm.max_requests = 500

; The URI to view the FPM status page. If this value is not set, no URI will be
; recognized as a status page. By default, the status page shows the following
; information:
; accepted conn - the number of request accepted by the pool;
; pool - the name of the pool;
; process manager - static or dynamic;
; idle processes - the number of idle processes;
; active processes - the number of active processes;
; total processes - the number of idle + active processes.
; max children reached - number of times, the process limit has been reached,
; when pm tries to start more children (works only for
; pm 'dynamic')
; The values of 'idle processes', 'active processes' and 'total processes' are
; updated each second. The value of 'accepted conn' is updated in real time.
; Example output:
; accepted conn: 12073
; pool: www
; process manager: static
; idle processes: 35
; active processes: 65
; total processes: 100
; max children reached: 1
; By default the status page output is formatted as text/plain. Passing either
; 'html' or 'json' as a query string will return the corresponding output
; syntax. Example:
; http://www.foo.bar/status
; http://www.foo.bar/status?json
; http://www.foo.bar/status?html
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;pm.status_path = /status

; The ping URI to call the monitoring page of FPM. If this value is not set, no
; URI will be recognized as a ping page. This could be used to test from outside
; that FPM is alive and responding, or to
; - create a graph of FPM availability (rrd or such);
; - remove a server from a group if it is not responding (load balancing);
; - trigger alerts for the operating team (24/7).
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;ping.path = /ping

; This directive may be used to customize the response of a ping request. The
; response is formatted as text/plain with a 200 response code.
; Default Value: pong
;ping.response = pong

; The timeout for serving a single request after which the worker process will
; be killed. This option should be used when the 'max_execution_time' ini option
; does not stop script execution for some reason. A value of '0' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_terminate_timeout = 0

; The timeout for serving a single request after which a PHP backtrace will be
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_slowlog_timeout = 0

; The log file for slow requests
; Default Value: not set
; Note: slowlog is mandatory if request_slowlog_timeout is set
;slowlog = log/$pool.log.slow

; Set open file descriptor rlimit.
; Default Value: system defined value
;rlimit_files = 1024

; Set max core size rlimit.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0

; Chroot to this directory at the start. This value must be defined as an
; absolute path. When this value is not set, chroot is not used.
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
; of its subdirectories. If the pool prefix is not set, the global prefix
; will be used instead.
; Note: chrooting is a great security feature and should be used whenever
; possible. However, all PHP paths will be relative to the chroot
; (error_log, sessions.save_path, ...).
; Default Value: not set
;chroot =

; Chdir to this directory at the start.
; Note: relative path can be used.
; Default Value: current directory or / when chroot
chdir = /

; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environement, this can cause some delay in the page
; process time (several ms).
; Default Value: no
;catch_workers_output = yes

; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
; the current environment.
; Default Value: clean env
;env[HOSTNAME] = $HOSTNAME
;env[PATH] = /usr/local/bin:/usr/bin:/bin
;env[TMP] = /tmp
;env[TMPDIR] = /tmp
;env[TEMP] = /tmp

; Additional php.ini defines, specific to this pool of workers. These settings
; overwrite the values previously defined in the php.ini. The directives are the
; same as the PHP SAPI:
; php_value/php_flag - you can set classic ini defines which can
; be overwritten from PHP call 'ini_set'.
; php_admin_value/php_admin_flag - these directives won't be overwritten by
; PHP call 'ini_set'
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.

; Defining 'extension' will load the corresponding shared extension from
; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
; overwrite previously defined php.ini values, but will append the new value
; instead.

; Note: path INI options can be relative and will be expanded with the prefix
; (pool, global or /usr)

; Default Value: nothing is defined by default except the values in php.ini and
; specified at startup with the -d argument
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
;php_flag[display_errors] = off
;php_admin_value[error_log] = /var/log/fpm-php.www.log
;php_admin_flag[log_errors] = on
;php_admin_value[memory_limit] = 32M
As you see, this pool is listening on port 9000 on localhost (127.0.0.1), and it is being run as the user and group www-data.
Let's take a look at the PHP configuration in your vhost:
vi /etc/nginx/sites-available/example.com.vhost
server {
[...]
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_script_name;
include /etc/nginx/fastcgi_params;
}
[...]
}
The important part is the line fastcgi_pass 127.0.0.1:9000; - this makes nginx pass PHP requests to the PHP-FPM process listening on port 9000 on localhost (127.0.0.1) - as you remember, this is our pool defined in /etc/php5/fpm/pool.d/www.conf which means PHP scripts are executed as the user and group www-data.

3 Defining An Individual Pool For Each Website

My example.com website is owned by the user web1 and the group client0, so I want my PHP scripts to be executed as that user and group. Therefore I define a new pool /etc/php5/fpm/pool.d/example.com.conf:
vi /etc/php5/fpm/pool.d/example.com.conf
[example.com]

listen = 127.0.0.1:9001

listen.allowed_clients = 127.0.0.1

user = web1
group = client0

pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35

chdir = /
As you see, I make this pool listen on port 9001 instead of 9000, and I define the user as web1 and the group as client0. You can define as many pools as you like, but make sure you use an unused port for each pool (9002, 9003, etc.).
Reload PHP-FPM:
/etc/init.d/php5-fpm reload
Now we change our vhost configuration to make use of the new pool. All you need to change is the port in the fastcgi_pass line:
vi /etc/nginx/sites-available/example.com.vhost
server {
[...]
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass 127.0.0.1:9001;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_script_name;
include /etc/nginx/fastcgi_params;
}
[...]
}
Reload nginx afterwards:
/etc/init.d/nginx reload
That''s it! PHP scripts are now being executed as the user web1 and the group client0.
You can make PHP even more secure by changing PHP settings individually for each vhost. Take a look at the bottom of /etc/php5/fpm/pool.d/www.conf, it has some examples of how to achieve this.
For example, you could set open_basedir or disable_functions in the /etc/php5/fpm/pool.d/example.com.conf pool.
vi /etc/php5/fpm/pool.d/example.com.conf
[example.com]

listen = 127.0.0.1:9001

listen.allowed_clients = 127.0.0.1

user = web1
group = client0

pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35

chdir = /

php_admin_value[open_basedir] = /var/www/www.example.com:/usr/share/php5:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin
php_admin_value[disable_functions] = dl,exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
Reload PHP-FPM:
/etc/init.d/php5-fpm reload

3.1 Using Sockets Instead Of TCP Connections

Up to now, we have used TCP connections for our PHP-FPM pool (127.0.0.1:9000, 127.0.0.1:9001, etc.). This causes some overhead. Fortunately we can use Unix sockets instead of TCP connections for our pools and get rid of this overhead. Therefore, Unix sockets are more performant than TCP connections.
I want sockets to be created in the /var/run/php5-fpm directory, therefore we have to create that directory first:
mkdir /var/run/php5-fpm
To use a Unix socket, we simply change the listen line in our pool definition, comment out or remove the listen.allowed_clients line (makes sense only for TCP connections), and add the lines listen.owner (defines the owner of the socket), listen.group (defines the group of the socket), and listen.mode (defines the permissions of the socket):
vi /etc/php5/fpm/pool.d/example.com.conf
[example.com]

listen = /var/run/php5-fpm/example.com.sock

;listen.allowed_clients = 127.0.0.1
listen.owner = web1
listen.group = client0
listen.mode = 0660

user = web1
group = client0

pm = dynamic
pm.max_children = 50
pm.start_servers = 20
pm.min_spare_servers = 5
pm.max_spare_servers = 35

chdir = /
Reload PHP-FPM afterwards:
/etc/init.d/php5-fpm reload
Take a look at the /var/run/php5-fpm directory:
ls -l /var/run/php5-fpm
You should find the socket example.com.sock there with the permissions 0660, owned by the user web1 and the group client0:
root@server1:~# ls -l /var/run/php5-fpm
total 0
srw-rw---- 1 web1 client0 0 2011-09-21 11:08 example.com.sock
root@server1:~#
Finally we must change the fastcgi_pass line in our nginx vhost to fastcgi_pass unix:/var/run/php5-fpm/example.com.sock;:
vi /etc/nginx/sites-available/example.com.vhost
server {
[...]
location ~ \.php$ {
try_files $uri =404;
fastcgi_pass unix:/var/run/php5-fpm/example.com.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_script_name;
include /etc/nginx/fastcgi_params;
}
[...]
}
Reload nginx afterwards:
/etc/init.d/nginx reload
That's it!
 

4 Links

Friday, September 23, 2011

How to use Linux containers (lxc) under Debian Squeeze


In this article, you will learn what is virtualization, why use it and how to use one kind of virtualization, Linux containers (aka lxc) under Debian Squeeze.

What is virtualization ?

Virtualization can be defined as a way to run a virtual machine on a real machine.
A taxonomy of virtual machines has be defined in the book Virtual Machines: Versatile Platforms for Systems and Processes by Jim Smith and Ravi Nair. The first types are Process VMs and System VMs. Process VMs support an ABI (user instructions and system calls). Systems VMs support a complete ISA (instruction set architecture) both user and system instructions.
Then sub-types are defined if they use the same ISA as the host system:
  1. Process VM using the same ISA. Example: WINE.
  2. Process VM using a different ISA. Example: Java Virtual Machines.
  3. System VM using the same ISA. Example: KVM.
  4. System VM using a different ISA. Example: QEMU for other architecture.
In this article we focus on System VMs using the same ISA. This category can be divided as follow:
  1. Type1 virtual machines: hypervisor runs directly on the hardware. Examples: VMware ESXi, Citrix XenServer or Microsoft Hyper-V hypervisor.
  2. Type2 virtual machines: hypervisor runs on another operating system, such as Linux. Examples: VirtualBox.
On the type 2 VMs, there is a special sub-category: Containers. These VMs run under the same kernel. Examples: LXC, OpenVZ, Solaris zones. Containers are very efficient in term of performance because you have no need to virtualize devices and the host system drivers do the jobs for the containers with a very low overhead.
We will concentrate in this article on a container implementation distributed in the standard Linux kernel: lxc. Containers are a very light virtualization technology that is implemented on a given kernel here for lxc under the Linux kernel. So it means that you will be able to run only Linux systems that are compatible with the hosting kernel in your containers. You will not be able to run Windows for example in a container.
A container works like a chroot on steroids by adding a complete virtual system to a chroot and bringing tools to handle the virtual resources.

Why virtualization ?

Virtualization can be useful in multiple scenarios. Mainly you want isolation when you use virtualization. Isolation can be needed for security reasons, flexibility reasons, incompatibility reasons, test reasons, licence reasons…
Here in our example, imagine you need to run a Debian sid system under your stable Debian Squeeze system to be able to run tests on this in development Linux distribution without dedicating a physical machine to these tests.

lxc step by step under Debian Squeeze

The following commands to setup lxc are done under Debian Squeeze but they could be adapted to run on any Linux distribution.
Under Debian Squeeze every needed parts are present. No need to recompile your kernel or download anything extra.

lxc setup

The command line tools to control lxc containers are in the lxc package:
# apt-get install lxc
Then you need to create a special filesystem for the tools to work. Create a /cgroup directory and then add the following to /etc/fstab to have it mounted automatically on each boot:
cgroup        /cgroup        cgroup        defaults    0    0
and mount it manually:
# mount /cgroup
The cgroups filesystem allows to manage control groups which provide a mechanism for aggregating/partitioning sets of tasks, and all their future children, into hierarchical groups with specialized behaviour. This is the base of the container implementation used by lxc. For the curious you will find more informations about cgroup in the kernel documentation: www.kernel.org/doc/Documentation/cgroups/.

Network setup

To setup the networing, you will need bridge tools:
# apt-get install bridge-utils
First you need to configure a bridge to be used between the VMs and the host system. Change /etc/network/interfaces to declare your bridge interface br0 which includes your ethernet card eth0 like this:
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
#allow-hotplug eth0
#iface eth0 inet dhcp

# Setup bridge
auto br0
iface br0 inet dhcp
bridge_ports eth0
bridge_fd 0
Adapt to your local network setup.

Creating your first Debian sid container

One way to install a Debian distribution on disk is to use debootstrap.
# apt-get install debootstrap
With this tool, you will install a minimal set of packages to be able to access your container via ssh:
# debootstrap --verbose --variant=minbase --arch=i386 --include ifupdown,locales,libui-dialog-perl,\
dialog,dhcp3-client,netbase,net-tools,iproute,openssh-server \
sid /var/lib/lxc/sid http://ftp.debian.org/debian
...
I: Base system installed successfully.
To define your sid container, create a config file under /etc/lxc/sid.conf to set where is the root directory location, various settings on devices and how to create the network device:
lxc.tty = 6
lxc.pts = 1024
lxc.rootfs = /var/lib/lxc/sid
lxc.cgroup.devices.deny = a
# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 4:0 rwm
lxc.cgroup.devices.allow = c 4:1 rwm
# /dev/{,u}random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
lxc.cgroup.devices.allow = c 254:0 rwm
# network
lxc.network.type = veth
lxc.network.flags = up
lxc.network.link = br0
lxc.network.name = eth0
lxc.network.hwaddr = 00:FF:12:34:56:78
Configure networking on your container in /var/lib/lxc/sid/etc/network/interfaces:
# interfaces(5) file used by ifup(8) and ifdown(8)
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp
Then execute the following commands to disable not needed services:
# rootfs=/var/lib/lxc/sid
# chroot $rootfs /usr/sbin/update-rc.d -f umountfs remove
# chroot $rootfs /usr/sbin/update-rc.d -f hwclock.sh remove
# chroot $rootfs /usr/sbin/update-rc.d -f hwclockfirst.sh remove
Simplify /etc/inittab because you don’t need virtual console and other stuff:
# /etc/inittab: init(8) configuration.
# $Id: inittab,v 1.91 2002/01/25 13:35:21 miquels Exp $

# The default runlevel.
id:2:initdefault:

# Boot-time system configuration/initialization script.
# This is run first except when booting in emergency (-b) mode.
si::sysinit:/etc/init.d/rcS

# What to do in single-user mode.
~~:S:wait:/sbin/sulogin

# /etc/init.d executes the S and K scripts upon change
# of runlevel.
#
# Runlevel 0 is halt.
# Runlevel 1 is single-user.
# Runlevels 2-5 are multi-user.
# Runlevel 6 is reboot.

l0:0:wait:/etc/init.d/rc 0
l1:1:wait:/etc/init.d/rc 1
l2:2:wait:/etc/init.d/rc 2
l3:3:wait:/etc/init.d/rc 3
l4:4:wait:/etc/init.d/rc 4
l5:5:wait:/etc/init.d/rc 5
l6:6:wait:/etc/init.d/rc 6
# Normally not reached, but fallthrough in case of emergency.
z6:6:respawn:/sbin/sulogin

# What to do when CTRL-ALT-DEL is pressed.
ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now

# /sbin/getty invocations for the runlevels.
#
# The "id" field MUST be the same as the last
# characters of the device (after "tty").
#
# Format:
# :::

#
1:2345:respawn:/sbin/getty 38400 console
Add a password for the root user to be able to do something on your system:
# rootfs=/var/lib/lxc/sid
# chroot $rootfs passwd
So now you are ready to launch your container:
# lxc-start -n sid -f /etc/lxc/sid.conf
INIT: version 2.88 booting
Using makefile-style concurrent boot in runlevel S.
Activating swap...done.
Mount point '/dev/console' does not exist. Skipping mount. ... (warning).
Mount point '/dev/ptmx' does not exist. Skipping mount. ... (warning).
Activating lvm and md swap...done.
Checking file systems...fsck from util-linux 2.19.1
done.
Mounting local filesystems...done.
Activating swapfile swap...done.
Cleaning up temporary files....
Cleaning up ifupdown....
Setting up networking....
Configuring network interfaces...Internet Systems Consortium DHCP Client 4.1.1-P1
Copyright 2004-2010 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

Listening on LPF/eth0/00:ff:12:34:56:78
Sending on LPF/eth0/00:ff:12:34:56:78
Sending on Socket/fallback
DHCPREQUEST on eth0 to 255.255.255.255 port 67
DHCPACK from 192.168.122.1
bound to 192.168.122.161 -- renewal in 1671 seconds.
done.
Cleaning up temporary files....
Setting kernel variables ...done.
INIT: Entering runlevel: 2
Using makefile-style concurrent boot in runlevel 2.
Starting OpenBSD Secure Shell server: sshd.

Debian GNU/Linux wheezy/sid debian console

debian login:
If you login on the root account, you can now do whatever you want in your container like in a normal Linux system under Debian sid.
If you want to stop your container do the following in another terminal:
# lxc-stop -n sid

Integration into the boot sequence

To have your containers started at boot, you have to edit /etc/default/lxc the folllowing way:
# Comment out to run the lxc init script
RUN=yes

# Directory containing the container configurations
CONF_DIR=/etc/lxc

# Start /etc/lxc/example.conf, /etc/lxc/autostart.conf, etc.
CONTAINERS="sid"
Then the lxc init script will take care to start and stop containers when needed. You can do it manually if you want:
# /etc/init.d/lxc start
Starting LXC containers: sid.
# /etc/init.d/lxc info
Info on LXC containers: lxc.
'sid' is RUNNING
# /etc/init.d/lxc stop
Stopping LXC containers: sid.
# /etc/init.d/lxc info
Info on LXC containers: lxc.
'sid' is STOPPED
In other articles we will present advanced usages of lxc. Stay tuned !

Using and configuring Samba under Linux/Unix


If you are working in a heterogeneous environment, that is Windows and Linux/Unix, chances are sooner or later you will have to deal with Samba. Samba's name comes from Microsoft's SMB (Server Message Block), which is the protocol used for Microsoft's standard network file system. We will show you how to install, configure and use Samba, and what advantages it can bring to your network, be it at home or at work. We expect you have some basic Linux/Unix administration knowledge and we expect you're not afraid of the command line. But first, what can you do with Samba? Where does it become useful for you?
 Samba is a piece of software very useful for interacting with the Windows systems in your network : it provides file sharing, printer sharing, Active Directory features and Primary Domain Controller integration. In practical terms, if you want to set up a file/print server for Windows machines, Samba is for you. Why wouldn't you use a Windows machine for the task? Well, you can profit by the increased security and stability a Linux/Unix system has to offer, for one. Next, you can set up a Samba server with a less powerful computer that runs no GUI or useless services. We set up a Samba server with Linux and it runs 24/7 since 2009-ish with no problems. And the hardware is almost ten years old, nonetheless it does the job very well, since Samba is not a CPU or memory hog. So, a Samba machine is the "set it and forget it" type. Since it runs Linux, it was trivial to set up rsync on it for backups, plus the appropriate cronjob, and that was about it. It Just Works(TM). Now let's start with the beginning and see how and what to install.

2. Installing Samba

We will start with installing SAMBA on Linux first, and stop at few major distributions.

2.1. Debian and derivatives

On these systems, just type
# apt-get install samba samba-common samba-client 
and that's that. We suppose you're the network admin and you have access to information such as workgroups or printer names, because when Debian will set up your Samba, you will be asked basic questions like workgroup/DN or how do you want to start Samba (daemon or inetd, and we recommend daemon). This makes for easier setup, but it's not a substitute for editing the smb.conf file and other related chores.

2.2. Fedora/Redhat and derivatives

On Fedora/Redhat, one installs Samba by installing the same package names, only with yum instead of apt-get, of course. Fedora offers a system configuration tool called system-config-samba you can use, but we recommend the traditional way, because you will learn more and you'll be able to use what you learned on other systems. If you want everything Samba-related, just type
# yum groupinstall "Windows File Server"
to get advanced SMB/CIFS features like LDAP and Active Directory.

2.3. Slackware, Gentoo and Arch

On Slackware, download the 'samba-$version' package from one of the mirrors (the n category) and use installpkg on it. On Gentoo, you better be aware of the Samba-specific USE flags (kerberos acl cups ldap pam readline python winbind) and enable them according to what you want to achieve, then
# emerge net-fs/samba 
See here for a complete tutorial on how to set up Samba on Gentoo. Arch Linux is as well-documented as it always was, so this is the place to go for Arch-specific instructions. In short, installing the samba package will give you all you need.

2.4. BSD systems

On FreeBSD, the port name is net/samba34, with similar names on NetBSD and OpenBSD.So on FreeBSD, we do
# cd /usr/ports/net/samba34 && make install clean 
Please take note that we will try to remain as OS-agnostic as possible in our tutorial here, so if you need something specific, use the respective OS's documentation. As long as you have a Unix(-like) OS with Samba installed, you're good to go.

3. Setting up Samba

3.1. Defining a purpose

Before you rush and start editing configuration files, we suggest you take a minute to think about your purpose. What do you want to accomplish? Do you need just file sharing? Or printer sharing too? Should the access be public? Think about security and your site's policy. Who will have access to the shares?
We assume, for the rest of this tutorial, that you want to set up a Samba server for file and printer sharing in a corporate environment with Linux and Windows machines. Active Directory, although linked to Samba, is a little outside of the scope of this article. So, we want to set up Samba like so :
  • One folder that holds the shared data
  • A limited and known userbase that have access to the share
  • Two printers to be shared to the aforementioned users
  • We shall not discuss Unix-to-Unix file sharing, if that's the case, since that is a different matter.

3.2. Defining folders and users

One starts configuring a Samba server by creating a folder that will hold the shared data. This part and the user creation part following it are the main source of access-denied headaches if misconfigured. So, we will perform a
# mkdir mywinshare 
 to create the folder to use with Samba. Besides permissions on the folder, better be careful with the location : some people recommend /, others /home/$user, others /var. Do as you think, but keep in mind the following : we know a fellow sysadmin that stored his Samba share in /var and forgot to back it up at reinstall. He kept /home on a separate partition, so that wasn't erased, but the rest of the disk, including /var, was. Oops. If that's the case, talk to your backup administrator, it's better to be safe than sorry. And of course, back up often. This cannot be emphasized enough.
Depending on what you want to achieve, that is, read-only or read/write, you should set the permissions accordingly. Always remember security and try not to use permissions like 775 or 777 if you see access denied errors. Use something sensible depending on your configuration, because you are risking making your share available to the whole world (that is, if your server has outside access) and you don't want that. Make changes to permissions gradually until you hit the spot.
Next we create a user to access the share :
# useradd smbuser 
and we set up a password :
# smbpasswd -a smbuser 
Repeat these two steps if you want more users, of course. Now that we have the share and the user(s), let's get to the configuration proper. This revolves around editing /etc/samba/smb.conf (the default location). This file is divided logically by section and commented depending on the distribution, but anyway, its' syntax is easy to understand.

3.3. smb.conf and its' sections

3.3.1. [global]

The [global] section looks something like
workgroup = WORKGROUP
netbios name = fileserver
server string = %h server (Samba %v)
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
load printers = yes
printing = cups
printcap name = cups
Adjust accordingly, of course, and do not forget to read the manual for all available options, as they're quite a few. We offered a link to the official Samba manual, but you're better off using your distro's documentation. On Debian, installing samba-doc does this for you. On other distros, the documentation is included in the samba package (Fedora, Arch).

3.3.2. The shares section

What you need next is a name by which mywinshare will be visible to the world. We'll create a section named WINSHARE and populate it thusly :
[WINSHARE]

path=/mywinshare
browseable=yes
writeable=yes
valid users = smbuser
admin users = smbadmin
 Be wary of the 'writeable' option and make sure this is what you want. If you want to add another shared directory, just mkdir it and create another section for it. We recommend fragmentation for better administration and happier users. For example, you will want a share for administrators, another for developers and yet another for "normal" users, each with their own folders, sections and appropriate rights.

3.3.3. Sharing printers

Next you might want to share a printer. Here it's a more complicated story, as you have to set up the printer on the server first in order to be able to share it. Depending on your network configuration and topology, you have two options : get some old computer, install Windows on it, install the printer you wanna share on it locally and share it on the network. Many times this is the simpler solution, but you sacrifice stability and speed. The other option is to share the printer via Samba, again, after you install it on the Samba server. Linux printing is a thorny subject, way longer to detail here, but the idea is that when you get a printer for Samba sharing, make sure it works with Linux (or BSD, Solaris, ...). We presume that you have the printer installed locally and working, so we go and create a printers section, after we make sure that CUPS (for the sake of example) is running and set up.
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = yes
writable = no
printable = yes
printer admin = root, smbadmin, @ntadmins, @smbprintadm
The '@' in front of names is used to tell groups from users.

3.3.4. Printer drivers

You might wanna make the life of your users a little better, because that's your job, and provide printer drivers for your Windows clients. You will name the section print$ (remember the square brackets) and use about the same syntax you used in the printers section :
[print$]
comment = Printer Driver Area
path = /var/lib/samba/printers
; This is a comment to let you know the above location will store the drivers
browseable = yes
guest ok = yes
read only = yes
write list = printadm
Needless to say, the user printadm must exist and have Samba permissions (see above).
Now we have a pretty much complete smb.conf for our purposes, as stated above. We shall use testparm (no arguments) to test our config file and make sure there are no typos or syntax errors. If everything looks ok, remember to (re)start your Samba and you're ready to go.

4. Testing and logging

Of course, before anything, testing is essential before you announce your users they have a new Samba server. Log files usually will provide important information if something goes wrong, and the
# smbstatus
command may also help. If you want to do live config altering on a running Samba server, use smbcontrol. Should you want to preserve those options, alter smb.conf and restart Samba.

5. Conclusion

What you just read is a simplified tutorial of basic usage of Samba : should you need more, the Samba website has lots of helpful information, also there are books published on the topic, with coverage of more advanced topics like WINS, 389 or LDAP. Remember to back up your smb.conf periodically and once again, watch out for permissions and security holes.

Thursday, September 22, 2011

15 «لا» لتمتلكي زوجك

15 «لا» لتمتلكي زوجك


< لا تقارني نفسك به، فهو مختلف عنك.
< لا تشعريه بعدم حاجتك إليه، حتي لا تفقدي عطاءه ورعايته لك.
< لا تفرضي أسلوبك أو تفكيرك عليه، لأنه يغضب إذا شعر بنديتك له.
< لا تتوقعي منه أن يقوم بما ترغبين في القيام به، لأنه لا يفكر بأسلوبك نفسه.
< لا تنشري أسرار حياتكما، لأن الرجل بطبيعته كتوم.
< لا تقللي من حبك وحنانك له، فإن هذا يشعره بالرضا.
< لا تشعريه بأنك أفضل منه حتي لا تفقدي حبه واحترامه.
< لا تزيدي من طلباتك، فالرجل يحب الزوجة القنوعة.
< لا تنتظريه دائما أن يكون المبادر، فان كرم الزوج في ردود أفعاله.
< لا تهتمي بأولادك علي حساب اهتمامك به، فهو يحب أن يكون مصدر الاهتمام والرعاية طوال وجوده بالبيت.
< لا تلحي عليه في السؤال عند خروجه، فهو يرغب في أن يكون كالطائر الحر.
< لا تقتحمي عزلته، لأنه يفضل أن ينعزل عن الآخرين، إذا كانت لديه مشكلة يحاول حلها.
< لا تستفزيه، فهو بطبيعته حاد الطبع، عصبي المزاج، ينفد صبره بسرعة.
< لا تنفريه منك أثناء المعاشرة الزوجية حتي لا يبحث عن المتعة في مكان آخر.
< لا تنتظري أن يقول لك آسف لأنه لا يحب الاعتذار، وإن أراد فإنه يتبع طرقاً أخري غير مباشرة في التعبير عن ذلك.

Tiny Web Proxy And Content Filtering Appliance On CentOS 6 (Version 1.4)


This small HOWTO will show you how to set up a small virtual machine to speed up and secure your home / small enterprise web surfing network using CentOS 6, Squid 3.1 and QuintoLabs Content Security 1.4 applications deployed in a VMware Virtual Player running on Windows 7 x64 as a host operating system. This howto is targeted at novice users and may sometimes seem too thorough for more advanced gurus.
See previous versions of this HOWTO for examples of creating similar virtual appliances running on Debian 6 or Ubuntu 10.04 Linux.

Step 1. Download and Install CentOS 6

Go to http://www.centos.org and get the latest i386 based ISO image of CentOS 6 (CentOS-6.0-i386-minimal.iso). Although the usual recommended version for a modern server is x64 but as we are trying to create a small virtual machine the i386 will suffice for our purposes.
Start up the VMware Virtual Player and create a new virtual machine with the following hardware parameters: name - virtual-proxy, hard disk - 8Gb. Press the "Customize the hardware" button and delete the floppy, USB controller, printer and sound card, set the amount of memory to 512Mb. Switch the network adapter from "NAT" mode into "Bridged". Point the virtual CDROM to the ISO image that you have downloaded earlier and start the virtual machine.
Follow the steps of the CentOS install wizard mostly accepting the defaults. Configure machine hostname as "proxy" and root password as "P@ssw0rd" (without quotation marks). Now wait a little until the installation is complete and then reboot the system.

Step 2. Perform post install configuration of CentOS

CentOS 6 deployed in VMware Player does not have network subsystem enabled by default. In order to set the static IP address and enable networking we need to modify the scripts located in the /etc/sysconfig/network-scripts. So start the root terminal and open the script file in vi.
NOTE: The provided above settings (IP addresses) are valid for my environment that connects to the ISP using the LinkSys Wireless N Broadband Router (with custom dd-wrt firmware) that has a DHCP server build in that gives out internal IP addresses from the 192.168.1.* private subnet. Your router may give other addresses so please beware :) !
cd /etc/sysconfig/network-scripts/
vi ifcfg-eth0
Add these lines to the ifcfg-eth0 file:
BOOTPROTO=static
NETMASK=255.255.255.0
IPADDR=192.168.1.4
ONBOOT=yes
Then save the file (ESC + : + wq) and exit vi. Next we need to set the gateway settings in /etc/sysconfig/network configuration file. Open the file...
vi /etc/sysconfig/network
... and add this line:
GATEWAY=192.168.1.1
Save the file and exit vi. Now we need to set the DNS server settings that are stored in /etc/resolv.conf. Open the file...
vi /etc/resolv.conf
... and add the IP address of the DNS server that runs on router:
nameserver 192.168.1.1
Now restart your network subsystem by typing
/etc/init.d/network restart
in the root terminal or by just restarting the virtual machine. After restart confirm that the network functions correctly by typing in the terminal (there should not be any errors in the outputs on these commands):
ping -c 3 192.168.1.1
nslookup google.com
Before we do any further installation it is recommended to update the freshly installed system with the latest security patches that may have come out after ISO has been released. So type in the root terminal and reboot the virtual machine after update completes.
yum update
reboot

Step 3. Install VMware tools

It is recommended to install VMware tools in a virtual machine to make it perform faster and enable some useful host integration features (like easy click out of the VM and clipboard sharing). As we are building the console only server this might not be a thing of the first priority but still here are the detailed instructions on how to do it.
Select Virtual Machine -> Install VMware Tools from the VMware player interface, wait until VM mounts the virtual ISO disk and type in the root terminal:
mount /dev/cdrom /mnt
cp /mnt/VMwareTools-8.4.6-385536.tar.gz /root
cd /root
taf -xvf VMwareTools-8.4.6-385536.tar.gz
cd vmware-tools-distrib
./vmware-install.pl
Follow the installation wizard mostly pressing Enter (i.e. accepting [yes]). Then reboot the VM.

Step 4. Install Squid Web Caching Proxy

Next we need to install the latest version of Squid proxy server. In order to do that type the following in the root terminal
yum install squid
All squid related packages are downloaded from the Internet and installed automatically.
The only thing to do is to let the external users from our home network to access the Squid. Open the Squid configuration file by typing
vi /etc/squid/squid.conf
and add the following line
visible_hostname       proxy
Also check that http_access allow localnet and acl localnet src 192.168.0.0/16 are present in the config file.
Now make Squid proxy service autostart on system boot by typing
chkconfig squid on
in the command prompt. Reboot your VM or just start squid for the first time manually:
service squid start

Step 5. Adjust firewall settings to allow network users to connect to Squid

 
In order to adjust the firewall settings we need to install a console based program called system-config-firewall-tui, so type in the root terminal:
yum install system-config-firewall-tui
system-config-firewall-tui
The settings that need to be customized are shown on the following screenshots:


Screen 1. Select customize firewall button


Screen 2. Enable access to port 80 for WWW (see description of Apache installation later) and press Forward.


Screen 3. Add port 3128 and set protocol to TCP.


Screen 4. Then press Forward and Close.
Again restart your network subsystem by typing
/etc/init.d/network restart
in the root terminal or by just restarting the virtual machine.
Verify that squid runs correctly by pointing your browser to the IP address of the proxy server (192.168.1.4) and surfing to some of your favorite websites.

Step 6. Install Apache

It is also a good idea to have a web server installed on the virtual machine. This web server will later host the status and report information for Squid and QuintoLabs Content Security. In order to install Apache type the following in the root terminal:
yum install httpd php
Make the Apache service autostart on system boot by typing
chkconfig httpd on
in the command prompt. Reboot your VM or just start Apache for the first time manually by typing
service httpd start
Open your browser and navigate to http://192.168.1.4. You should see the “It Works!” greetings from Apache.

Step 7. Install QuintoLabs Content Security 1.4.0

Next step would be to install the Content Security 1.4 for Squid from QuintoLabs (I will refer to it as qlproxy further in text). For those who do not know, QuintoLabs Content Security is an ICAP daemon/URL rewriter that integrates with existing Squid proxy server and provides rich content filtering functionality to sanitize web traffic passing into internal home / enterprise network. It may be used to block illegal or potentially malicious file downloads, remove annoying advertisements, prevent access to various categories of the web sites and block resources with explicit content (i.e. prohibit explicit and adult content).
Unfortunately QuintoLabs does not yet have online package repository for qlproxy so we have to get the CentOS / RedHat RPM package manually from QuintoLabs web site at http://www.quintolabs.com/qlicap_download.php using your favorite browser and upload the package to the system using scp. Another way is to type the following commands in the root terminal (as one line):
curl http://www.quintolabs.com/qlproxy/binaries/1.4.0/qlproxy-1.4.0-72bbf.i386.rpm > qlproxy-1.4.0-72bbf.i386.rpm
Wait a little until the download completes (approx. 21Mb) and run the following command to install the downloaded package
rpm --install qlproxy-1.4.0-72bbf.i386.rpm
The RPM manager will run for a while and the program will be installed into /opt/quintolabs/qlproxy and /var/opt/quintolabs/qlproxy.
NOTE: this howto assumes you have SELinux disabled on your machine. For specific notes considering SELinux based installation of qlproxy see their web site and sample SELinux policy installed in /opt/quintolabs/qlproxy/usr/share/selinux . In order to disable SELinux set SELINUX=disabled in /etc/selinux/config and reboot.
Now we need to configure qlproxy and integrate it with Squid. The configuration files are plain text and stored in /opt/quintolabs/qlproxy/etc/ *.conf and rather simple to modify with a handful of comments inside. I am going to perform the following modifications:
  1. As I personally do not like excessive advertising on the web and as I often browse through Russian and German sites I will enable extended adblock filtering by uncommenting the corresponding Russian and German AdBlock subscriptions in /opt/quintolabs/qlproxy/etc/adblock.conf file. I also do not like sites tracking me so I usually uncomment easy_privacy subscription in the same file.
  2. My kids sometimes play online games on my computer so I prefer to set the level of adult blocking heuristics to high in the /opt/quintolabs/qlproxy/etc/adultblock.conf by changing from heuristics_level = normal to heuristics_level = high. If anything is falsely blocked by the qlproxy I can later add it to the exceptions.conf file to have it passed through.
  3. The Parental Controls module of 1.4 now supports filtering of HTML page contents for banned words and phrases (like Dansguardian) and I will enable it too. The potential pitfall here is the type of algorithm used that requires a lot of computational power from your PC - that is why the recommended way is to leave the module switched off in a typical installation. Next version of qlproxy is known to include a much better implementation.
  4. The urlblock module that uses community developed database of categorized domains incorrectly puts blogspot.com into an adult category... so I add it to the exception list in /opt/quintolabs/qlproxy/etc/exceptions.conf to be able to read some of my favorite blogs hosted there.
  5. I know that worms, trojans and other malware related software often connect to the world by IP addresses so I put a magic regexp into the /opt/quintolabs/qlproxy/etc/httpblock.conf file to filter them out url = http://\d+\.\d+\.\d+\.\d+/.*
Good for now, let us issue a restart command to make the qlproxyd daemon reload the configuration /etc/init.d/qlproxy restart
Next we need to integrate it with Squid. As the qlproxy daemon supports the shiny ICAP protocol this is a little bit different from the url_rewrite_program integration described in the previous version of this howto. By the way, README file in /opt/quintolabs/qlproxy/ contains instructions on how to do that. Anyway here are the steps required:
  1. Open the /etc/squid/squid.conf in vi by typing
    vi /etc/squid/squid.conf
    in the root terminal.
  2. Add the following lines:
    icap_enable on
    icap_preview_enable on
    icap_preview_size 4096
    icap_persistent_connections on
    icap_send_client_ip on
    icap_send_client_username on
    icap_service qlproxy1 reqmod_precache bypass=0 icap://127.0.0.1:1344/reqmod
    icap_service qlproxy2 respmod_precache bypass=0 icap://127.0.0.1:1344/respmod
    adaptation_access qlproxy1 allow all
    adaptation_access qlproxy2 allow all
Now restart Squid by typing service squid restart in the root terminal. After restart try surfing the same sites with your browser and see how nicely ads are blocked. Another useful test is to go to the eicar.com web site and try to download a sample artificial eicar.com virus to see that com files are blocked by the download filter.
Note: for those of you who must stick with squid 2.7 for some other reasons or if you are on Windows(!) qlproxy can be integrated with Squid as url rewriter. Open /etc/squid/squid.conf and find the url_rewrite_program section and add the following (as one line): url_rewrite_program /opt/quintolabs/qlproxy/sbin/qlproxyd_redirector --config_path=/opt/quintolabs/qlproxy/etc/qlproxyd.conf.
The last thing to do is to integrate the qlproxy with Apache to be able to see the reports on user activities generated once a day. This is actually quite easy, open the /etc/httpd/httpd.conf file and add the following near the directive:
Alias /qlproxy /var/opt/quintolabs/qlproxy/www

Options FollowSymLinks
AllowOverride None

Now reload the apache by typing in the terminal
service httpd restart
You can navigate to http://192.168.1.4/qlproxy to see the generated reports. The funny thing is that qlproxy blocks access by the IP address according to our settings in httpblock.conf described earlier. Solution would be to add the 192.168.1.2 as entry to the /opt/quintolabs/qlproxy/etc/exceptions.conf or just tell the browser not to use proxy for this address.

Resume

Finally everything is in place to start the accelerated secure web surfing without adverts - point your browser to 192.168.1.4 port 3128, surf to your favorite web sites and see the difference. The IP addresses in URLs are blocked and explicitly adult content sites too. The VMware takes not more than 512 MB and surfing experience is quite acceptable. The system is automatically updated once a day for the latest url block list and advert subscriptions and requires minimal additional maintenance.

Used documentation links


50 Good Android Apps: Social, Downloads, Hands-Free


An Android device is only as useful as the apps it features. These 50 apps will help you get the most out of your device. Enjoy!
1) Vlingo
Need to text, call, tweet or set your Facebook status and your hands are already occupied? That's no problem if you have Vlingo, which allows you to operate your Android phone with your voice. It even works with a wireless Bluetooth headset. Free.

2) Anti-Virus Pro
Concerned about malware, viruses and SMS spam? Anti-Virus Pro is a comprehensive security suite for Android that can scan apps, files, settings and media in real time. Paid: $9.99.

3) Seesmic
This Twitter client integrates streams from Twitter, Facebook and even Salesforce.com Chatter into a single client, allowing you to stay on top of all your messages from various sources. Unlike many clients, it supports multiple accounts, giving you the ability when composing a message to send it out via one of your accounts or all of them at once. You can also customize a large number of features. Free.

4) The Weather Channel
Keep up with everything you need to know about the weather with this app. It features hourly, 36-hour and 10-day forecasts and live video from the TV channel. Free.

5) iTriage Mobile Health
Use this app to help take better care of yourself. It was designed by two emergency room physicians to help users identify their systems and find a healthcare provider. Free.

6) LogMeIn Ignition
This app lets you securely access your computers—Windows or Mac—and all the files on them remotely from your phone. Never leave anything behind again. Paid: $29.99.

7) TiKL – Touch to Talk (PTT)
Turn your Android phone into a walkie-talkie with this app. It provides push to talk capabilities between Android phones without additional hardware and without using minutes. Communication is near instantaneous on 3G and 4G networks. Free.

8) Amazon Kindle for Android
Want to read an electronic book, newspaper or magazine but don't have your Kindle with you? Or don't have a Kindle at all? It's not a problem with this app, which allows you to read any of 900,000 Kindle-formatted books with your Android device. And Amazon's Whispersync that your last page read, bookmarks, notes and highlights will sync across your various devices. Free.

9) Thinking Space
Thinking Space is a mind mapping application that allows you to visualize, structure and classify ideas. You can create nodes, add notes to them and arrange them, all with a UI that makes it a snap to work with. The maps you create with this app are also compatible with PC-based Xmind and Freemind. Free.

10) PdaNet
Use USB Tether or Bluetooth DUN to connect your laptop to the Internet using your Android phone as a modem. You can use your phone to connect via 3G data, Wi-Fi and even VPN. Free and paid. The free version blocks access to secure Web sites. The premium version goes for $23.95.

11) MightyMeeting
Manage a library of PowerPoint presentations directly from your Android phone with this app. You can use the app to share the presentations via e-mail, blog, Twitter and Facebook, and you can also start or join Web meetings using it. Free.
12) JuiceDefender
Is the battery on your Android phone consistently running on empty? JuiceDefender can help you extend it! The app intelligently manages your mobile connectivity and other battery-sensitive components to ensure your phone runs as efficiently as possible. For example, the default mode switches your phone from battery-intensive 3G mode to the less-draining 2G mode when you're not actually using the phone, and it turns of the Wi-Fi radio if the charge goes below a certain level. The Advanced Mode allows you to tune the app's triggers based on your individual needs. Free.

13) Skifta
This app turns your Android device into a global remote control. Certified by the Digital Network Living Alliance (DNLA), Skifta allows your Android device to stream onboard media to any DNLA-enabled device, include TVs, stereos, PCs and the Sony PlayStation 3. Free.

14) Document Scanner
This app allows you to scan documents with your phone's camera, convert it to PDF and e-mail the PDF to anyone. You can even upload the PDF to Google Docs. Paid: $2.98.

15) Bluetooth File Transfer
With this app, you can explore and manage the files on any Bluetooth-enabled device, receive files and send contacts. It's built on FTP and Object Push Profile (OPP). Free.

16) Kongregate Arcade for Android
Want to stay up on the newest and hottest Flash games around? This app gives you free access to more than 300 games from the Kongregate community and fully integrates with your existing Kongregate Web account. Free.

17) Howcast for Android
Need to know how to change a tire, make banana pudding or survive a long airport layover right now? Howcast puts instructional videos in 25 categories right at your fingertips. Each video also comes with text instructions. Free.

18) TED Mobile
Since 1984, the world's best and brightest have gathered at the TED (Technology, Entertainment, Design) Conferences to spend no more than 18 minutes talking about the thing that fascinates them most. It's always illuminating, and with this app you can search and watch more than 700 TED Talks right from your phone. Free.


19) Handcent SMS
Handcent SMS supercharges your texting with full support for SMS and MMS, group sending options and backup and restore features for SMS and MMS. Other features include the ability to customize your look with themes and SPAM filtering options. Free.

20) WolframAlpha
Access WolframAlpha's computational knowledge engine from your phone with this app. Also available for free via the WolframAlpha Web site, the app calculates the answers to complex mathematic and scientific problems in an instant. The app version adds a keyboard with all manner of mathematic and scientific symbols to make entering queries a snap. Paid: $1.99.

21) eBuddy Messenger
This comprehensive IM client allows you to connect to multiple MSN (Windows Live), Facebook, Yahoo, AIM, ICQ, GTalk, Hyves and MySpace accounts all at once. It shows all your contacts in one list and runs in the background. IMs are sent as data, not SMS. Free.

22) Evernote
This app allows you to log, index and search all manner of information, from notes to audio to photos. For instance, you can take a photo of a white board and Evernote will recognize the text in the photo, index it and then allow you to find it later by entering a search term from the information on the white board. It even synchs with the Web. Free.

23) EverPaper
EverPaper is a simple but excellent Instapaper client. It doesn't support folders yet, but it's under constant
development. It also syncs with EverNote. Free.

24) Yelp
Yelp for Android determines your current location and then lets you search for nearby businesses, read reviews and so on. It also lets users filter by "Price," "Open Now," "Special Offers" and "Hot on Yelp." Free.

25) Time Recording
Time Recording is an app that lets you manage your time sheet, including options like tasks, target time, hourly rate, paid overtime and multiple data/time formats. It also supports CSV export. Free.

26) CallTrack
This app logs your phone activity to your Google Calendar, allowing you to track who you've called or received calls from and when. Free.

27) ActionComplete
ActionComplete is a robust task manager. It is built around projects you create, which are made up of individual actions that serve as milestones in the project. The app is based on the Getting Things Done (GTD) methodology created by David Allen in his book: Getting Things Done: The Art of Stress-Free Productivity. Free.

28) Google Chrome to Phone
Run the Google Chrome browser on your computer? This app lets you share links, maps and currently selected phone numbers and text between your computer running Chrome and your phone. Free.

29) SMS Backup +
This app automatically backs up SMS, MMS and call log entries to a separate label in your Gmail account. Free.

30) Fusion Voicemail Plus
Centralize all your voicemail boxes, including mobile, home and office, on your Android phone with this app. It can receive and display FAXes too. Free.

31) Parcels
This handy app lets you track all your packages in one place. Carriers supported include: Apple, Fedex, UPS, UPS Mail Innovations, Amazon.co.uk, Amazon.com, Amazon.de, DHL Express National (Germany), DHL (Germany), DPD Standard (Germany), GLS (Germany), Hermes, TNT, TNT International (Netherlands), TNT National (Netherlands), OnTrac Shipping, LaserShip, Posten (Norway), Post (Austria), Post (Switzerland), Posten (Sweden), USPS, DHL (USA), DHL Express (GB), Home Delivery Network (GB), Japan Post Int. Mail, CNE Express, Royal Mail, Spee-Dee Delivery (USA), Parcelforce. Free.

32) NewsRob
This is an excellent, plain but functional Google Reader client with built-in syncing for off-line reading. Free and paid. The free version features ads. NewsRob Pro goes for $7; it removes the ads and adds exclusive features for power users.

33) Read It Later
A simple, reliable tool that adds Instapaper to your sharing menu, so you can quickly tag articles as you browse. Free.

34) Astrid Task Todo List
Get yourself organized with this todo list app. It features tagging, timers, reminders, smart task sorting and even tracks partial progress. You can sync your todo list with Remember the Milk, which can sync with Gmail. Free.

35) Mint
Manage your money and keep track of your budget while on the move using Mint. It gives you up-to-date information on your accounts and lets you edit transaction info right on your phone. And it's password protected to make sure your information stays safe. Free.

36) aCar
This app allows you to track the maintenance, fuel mileage and expenses of your vehicles. It provides notifications when it's time to change the engine oil, air filter, oil filter, etc. Free.


37) SMS2PC
This app automatically forwards SMS messages to your PC if you're working on it so you don't have to reach for your phone. You can reply to messages and create new ones from your Android address book. Paid: $2.50

38) GDocs for Android
This editor/viewer for Google Documents allows you to create, edit, view, import, export, send documents and sync them with your Google Docs account. Free.

39) QuickOffice Connect Mobile Suite
This Microsoft Office productivity suite for Android devices allows you to view and edit Word, Excel and PowerPoint files with integrated access to multiple remote storage providers. Paid: $15.

40) Exchange for Android
This app offers Exchange/Outlook sync for your Android! It works with Exchange 2003/2007 and allows you to sync your e-mail, contacts and calendar. It's available for a free five-day trial. After that, a license costs $19.99.

41) Dial Zero
Need to get in touch with customer service and don't want to wait on hold? Dial Zero maintains an index of more than 600 companies and how to cut through their automated answering services to get a live human being in no time. Free.

42) DroidAnalytics
This app puts all your Google Analytics data at your fingertips. You can quickly see Pageviews, Visits, Unique Visitors, Average Time on Site and Bounce Rate, with filters for Top Keywords, Top Referrers, Top Countries, Top Traffic sources, Top Search Engines, Top Referring Sites and Top Browsers. Paid: $1.47.

43) Dropbox
Dropbox is a client for the Dropbox cloud-sharing file storage service. It makes it easy to get files onto your phone without explicit synching. You can add files to it from any of your computers and then access them from any other computer or phone.

44) Lookout
Want to protect your phone? Lookout does just about everything. It provides security against mobile viruses, malware and hackers, backs up your data and even locates your lost or stolen device on a map from the Web. And if you can't find it, you can use Lookout to make your phone "scream" or simply wipe out all the data on it.

45) RepliGo Reader
A PDF reader that can be used to view Gmail PDF attachments, online PDF documents or PDF files saved to your media card. It features a reading view that reformats pages into a single column, and offers support for embedded fonts, PDF bookmarks and text search. Paid: $4.95.

46) App Protector Pro
Want a little extra security for your Android phone? App Protector Pro allows you to password protect any application on your phone, including e-mail, SMS, photos and more. Paid: $1.99.

47) Wikidroid
Use Wikipedia often? Wikidroid formats Wikipedia articles for your device with a sleek interface. It even includes voice search and bookmarks.

48) Memory Booster – RAM Optimizer
Keep your Android phone running at its fastest with this app. Memory Booster optimizes our phone's memory by recovering memory leaks, flushing temporary libraries and defragmenting your phone's memory. Free.

49) ESPN ScoreCenter
Get comprehensive ESPN sports coverage on your Android phone with this app. It provides near-real-time scores and schedules. Free.

50) handyCalc Calculator
The app adds just about every calculator function you can think of to your Android phone, allowing you to put your scientific calculator in the drawer forever. Free.