Trumphurst Technical Notes

ACS AET62 Fingerprint Reader and C#

2011-11-07T11:32:00.000Z

I'm currently trying to interface to an ACS AET62 Fingerprint Reader from C#. The reader comes with an SDK, along with what appear to be extensive example applications. However, the applications contain bugs which the documentation does not help to resolve. I thought I would record the bugs I have found, and how I have resolved them.

ABSEnroll has a ref int parameter which is returned as a pointer to an ABS_BIR structure. This is declared in the provided BSTypes.cs file as containing a header followed by 2560 bytes of data. Unfortunately, this is not correct - it contains a header followed by up to 2560 bytes of data. The actual length of the whole structure (including the header) is contained in the first uint Length member of the structure.

This kind of variable length structure is quite common in C++, but there is no built-in way to marshal it correctly in C#.

The code provided in the SDK just calls Marshal.PtrToStructure on it - this will run off the end of the allocated memory, and assign garbage to the last (should be unused) bytes of the ABS_BIR structure. That's sort of OK in a 32-bit operating system (it is unlikely to try to access memory that doesn't exist), but in a 64-bit one with properly protected memory, it may well throw an exception.

The correct way to marshal the structure is in two parts - first marshal the header part with Marshal.PtrToStructure, then allocate the data byte array to the length therein (first subtracting the length of the header itself), and use Marshal.Copy to copy the remainder.

ppEnrolledTemplate = new BSTypes.ABS_BIR();
BSTypes.ABS_BIR_HEADER hdr = (BSTypes.ABS_BIR_HEADER) Marshal.PtrToStructure(ptr, typeof(BSTypes.ABS_BIR_HEADER));
ppEnrolledTemplate.Header = hdr;
int hdrlen = Marshal.SizeOf(hdr);
int bodylen = (int)(hdr.Length - hdrlen);
ppEnrolledTemplate.Data = new byte[bodylen];
Marshal.Copy(new IntPtr(tset + hdrlen), ppEnrolledTemplate.Data, 0, bodylen);

ABSVerify takes a reference to an IntPtr which is represented in C++ as **ABS_BIR - it is supposed to be an array of pointers to ABS_BIR. The example code provided just passed one ABS_BIR - it used Marshal to allocate a chunk of global memory and marshal the structure into it. The resulting IntPtr was passed as the ref parameter. This is all very fine if you only want to verify a single fingerprint, but if you want to determine which of a list of fingerprints is being scanned (as I did), it is no help at all.

My knowledge of C++ finally allowed me to figure out what was needed. - first, allocate an array of IntPtr (one for each ABS_BIR fingerprint scan you wish to pass). Then allocate memory for each structure into its corresponding IntPtr, and use Marshal to copy the structure into the allocated memory. Finally, pass a reference to the 0'th element of the array.

In actual fact, there is no need to Marshal the ABS_BIR structure during Enroll or Verify - it can be treated as an opaque array of bytes (with the length of the whole thing in the first 4 bytes) - other than the length, there is no other interesting data in the ABS_BIR structure.

Also, during Verify, you can make a single call to allocate enough memory for all the structures you want to pass, and calculate the values of the IntPtrs to pack the data into the single block of memory.

I hope this helps anyone else struggling with this SDK.

VMWare Workstation on Windows

2011-02-19T17:44:00.000Z

Having abandoned CentOs as the host for my VMWare VMs, I went back to running Windows XP as the host.

A bit of a pain (two sets of virus detectors, and all the other bloatedness of Windows). That would have been OK, except that most times I started the client, it decided it had only 1 monitor, and rearranged my desktop accordingly. So every morning, the first few minutes would be spent putting things back on the correct monitor. Would you believe that moving a quick launch toolbar from one monitor to another reorders all the icons?

At least my USB 3 drive worked (and aren't they _fast_ !). And my headset.

However, performance was not good, and too many things caused screen updating to stop working. And VM clients had a tendency to jump from one (ATI Hydravision) virtual desktop to another (on the server).

The NTFS filesystem going corrupt, so that one of the 2GB files that made up my hard disk suddenly thought it was 2TB was the last straw.

I finally gave in, and decided to "de-virtualise" my desktop. I took loads of backups, made a BartPE CD, booted it, and repartitioned my disk. Then I restored the backup of my VM client desktop, and rebooted.

Then I was stuck in a boot loop - as soon as the Windows logo appeared, the machine rebooted. Safe mode (even safe mode with command line) did not help. The only way out was a repair install with the latest CD I had (XP64 SP1), followed by a whole day downloading updates and service packs and copies of Internet Explorer.

So I can now advise that virtualisation is not ready to host your desktop on the one machine, and that changing the hardware of your Windows working environment is still a horrible nightmare.

CentOs and VMWare Workstation

2011-02-19T17:42:00.001Z

I had other problems with my CentOs VMWare WOrkstation host environment. I have a Logitek USB headset, which I use with Skype in my VM client running Windows XP.

However, a while ago the microphone stopped working - all I got from it was a load crackling noise. I tried buying a new headset, but that was the same - it seems to be a reaction between CentOs and VMWare.

Yet another reason to abandon CentOs :-(

CentOs and USB 3.0

2011-02-19T17:36:00.001Z

I run CentOs 5 as a host operating system for VMWare Workstation, and use a VM client as my main working environment.

I was finding backing up my environment to be a slow and painful process using USB2 disks, or the Gigabit network card.

I read that USB 3.0 was much faster, and that Linux was the first O/S to support it, so I bought a controller card and disk.

Then I found CentOs didn't support it :-(

I was encouraged by the nice people at el-repo to try their experimental kernel for CentOs, and, after a lot of messing about, I managed to get it booted, and accessing the USB 3 disk. However, I couldn't also use their fglrx ATI Radeon driver at the same time (it only works with the stock CentOs kernel). As dual monitor support is vital to me, I gave up, and finally abandoned CentOs.

U8230 MoDaCo ROM makes ShopSavvy work on Android T-Mobile Pulse

2009-12-03T16:49:00.001Z

Well, I installed the U8230 MoDaCo ROM, and it sort of worked.

Unfortunately, things (especially the front screen) kept crashing.

However, after advice from the nice MoDaCo people, I did a factory reset...

Use the Quick Boot app to go into recovery mode
Allow the root shell access when the prompt comes up
Choose the factory reset option
When the system restarts it will come up with the standard French options - go into Settings/Locale and text/Select locale and choose English.
I found I had to reboot the phone again to make that setting take properly.
Now you have to reinstall all your apps (but, if you go to Market, My downloads, they are all listed ready to install). I have installed CoPilot Live (paid for), but it downloaded and installed OK, and re-registered fine.

Because this version of the ROM has moved Google Maps into the data partition (to save space), the factory reset removed it (as it wipes the data partition). So I then had to reinstall the update again. I would advise factory resetting before installing this ROM.

There are some good things about this ROM though:

ShopSavvy can use the camera like it should (the old version just showed a black screen).
Google contacts will sync OK (even if you add people to your Favorites).

ShopSavvy doesn't work on Android T-Mobile Pulse

2009-12-03T12:01:00.000Z

One of the highly recommended applications on Android is ShopSavvy. Apparently this lets you use the phone's camera to scan barcodes of products, and then tells you the best prices to buy them, both locally and on the 'Net.

Sounds good, but doesn't work on my Pulse :-(

However, the excellent Paul at MoDaCo has produced a custom rom based on the French U8230 version of this phone, which fixes the problem. (For those not wishing to root their phone, ShopSavvy have been told by the phone manufacturer that a new ROM image has been supplied to T-Mobile, so just wait patiently!)

So I'm loading it now - for full instructions see http://trumphurst.blogspot.com/2009/12/rooting-android-on-t-mobile-pulse.html - but use http://www.romraid.com/paul/pulse/update-pulse-u8230edition-1.0-core-signed.zip instead of update-pulse-1.3-core-signed.zip.

SSH into my Android T-Mobile Pulse phone

2009-12-03T10:45:00.000Z

Having installed the MoDaCo Custom ROM into my rooted phone, I then tried to ssh into it. The first thing I needed was the password - the instructions weren't clear, but I eventually found it in Settings/About Phone/Setup Wizard.

I used Putty to SSH into the phone (having got its IP address from my DHCP server logs) as root (using port 2222), and it worked. Now I wanted to use my public key, so I wouldn't be asked for the password again. Instructions were a bit fragmented, and I had a few false starts, but this is what I ended up doing:

cd /data/dropbear
mkdir .ssh
chmod 700 .ssh
cd .ssh
echo 'my public key' >authorized_keys
chmod 644 authorized_keys
cd ..
mount -o rw,remount -t yaffs2 /dev/block/mtdblock1 /system
edit /system/bin/dropbear.sh to add
-R /data/dropbear/.ssh/authorized_keys
to the end of the command line.
mount -o ro,remount -t yaffs2 /dev/block/mtdblock1 /system
reboot the phone (type "reboot" at the command line, or use the Quick Boot app on the phone).

The mount commands switch the filesystem from read-only (its usual state) to read-write and back again.

Brilliant - I now have password-free root access to my phone using ssh from my PC (which has a real keyboard). Some experimentation shows I have most of the commonly-used Linux commands available to me.

Rooting Android on the T-Mobile Pulse

2009-12-03T10:14:00.001Z

Being the techy that I am, I investigated getting ssh access into my phone (preferably as root). The site with the best information on this is http://android.modaco.com/content/t-mobile-pulse-pulse-modaco-com/294178/13-10-1-0-rooting-the-pulse-introducing-superboot/

I didn't find the instructions there 100% clear, so here is what I did:

Install the CD that came with the phone - this is necessary to install USB drivers, adb, etc., so the computer can talk to the phone.
Download (to my PC) the superboot root image http://content.modaco.net/dropzone/1.1-pulse-superboot.zip
and the recovery image http://content.modaco.net/dropzone/1.2.3-pulse-amonrarecovery.zip
and the MoDaCo Custom ROM http://www.romraid.com/paul/pulse/update-pulse-1.3-core-signed.zip
and the stock T-Mobile image (in case of emergency) http://content.modaco.net/pulse/update-pulse-stock-V100R001GBRC85B116SP01-t-mobile-signed.zip
Turn the phone off, and unplug the USB cable.
Hold the volume down and red (end call) buttons, and press the power button. This puts the phone into bootloader mode.
Plug in the USB cable.
Unzip the superboot file, copy AdbWinApi.dll from the CD that came with the phone into the 1.1-pulse-superboot folder, and run .install-superboot-windows.bat.
At this point I restarted the phone by removing the battery, and tried it out - the phone was rooted, but I was unable to get into recovery mode to install the MoDaCo Custom ROM. Turns out I needed to install the recovery image first, and I think I could have done that straight away while the phone was still in bootloader mode.
Unzip the amonrecovery zip, copy AdbWinApi.dll from the CD that came with the phone into the 1.0-pulse-amonrarecovery folder, and run ._install-recovery-windows.bat.
Now restart the phone by removing the battery.
Go into the applications list (bottom right button on the home screen), and run the "Quick Boot" application that superboot has installed. Choose Recovery, and, when you get the sudo screen asking whether to allow root access, allow it. This puts the phone into recovery mode, which I think is a kind of boot image provided by amonrecovery. It's a bit like Windows recovery mode, or booting a Windows machine with a floppy disk - you can do stuff, but the main operating system is not running.
The first useful thing to do is to take a backup of the entire phone, using the Nandroid Backup option on the recovery menu. This backs up a complete image of the phone's ROM to the SD card, which you can restore later. I then turned USB mass storage on (so I could get to the SD card from my computer), and backed up that image to my computer.
Then I renamed the MoDaCo ROM zip (update-pulse-1.3-core-signed.zip) to plain update.zip, and copied it from my computer onto the SD card.
I turned off USB mass storage (so the phone could see the SD card again), and ran the "Apply sdcard:update.zip" option. This installed the MoDaCo ROM image.
Finally I rebooted the phone (from the menu). The reboot took ages. This is to be expected.

SSH into the phone in my next post...

Android on the T-Mobile Pulse

2009-12-03T10:01:00.000Z

I've always wanted a smartphone I can use anywhere to access the Internet, ssh into the servers I maintain, check my mail, etc. I was tempted by the iPhone, but put off by the enormous price, and the closed Apple-only system.

Then I found the T-Mobile Pulse, available on pay-as-you-go for under £200, which runs Android. So I bought one a couple of weeks ago.

It's a nice phone (although the camera is pretty awful). I really like the Android operating system - it does the kind of thing the iPhone does on the TV adverts, but it's open.

I installed all kinds of good software on it:

EStrongs File Explorer - gives me access to my Windows and Samba shares over my Wifi network.
Android-vnc-viewer - lets me control my desktop from the phone (in an emergency - the phone screen is a bit tiny for controlling twin 19" monitors!).
AndFTP - FTP/SFTP client.
TextEdit - does what it says on the tin.
ConnectBot - ssh/telnet client.
DynDNS - dynamic DNS client.
Skype Lite.
CoPilot Live Navigator - full turn-by-turn GPS with maps on the phone, so no Internet connection needed.

I also put on quite a few other less vital bits an pieces - e.g. a spirit level (just like the TV ad), toggle switches for turning WiFi/GPS/3G/etc. on and off (to save going through the settings menu).

ifup: network-functions: line 52: eth0: No such file or directory

2009-03-13T18:11:00.000Z

The (external) power supply on my Linux box broke the other day. Tranquil PC sent me a new one, so I booted the machine up for the first time in ages. I noticed an error message as it was trying to bring up the eth0 interface (which is nicknamed "moors" on my machine):


ifup: network-functions: line 52: eth0: No such file or directory

This appeared twice every time I booted the machine.

I looked in /etc/sysconfig/network-script/network-functions, and line 52 was the (rather unhelpful):
. $CONFIG
I went through a prolonged debugging session, putting trace code in ifup and network-functions, and I found the problem was caused by line 155 of ifup:
is_available ${REALDEVICE}
REALDEVICE at this point is "eth0". is_available starts like this:
LC_ALL= LANG= ip -o link | grep -q $1 [ "$?" = "1" ] || return 0 alias=`modprobe -c | awk "/^(alias|install)[[:space:]]+$1[[:space:]]/ { print \\$3 }"` if [ -z "$alias" -o "$alias" = "off" -o "$alias" = "/bin/true" ]; then return 2 fi modprobe $1 > /dev/null 2>&1 || return 1 # if it is a mainframe ccwgroup device, configure it before # trying to rename it: need_config ${1}
I haven't figured out what all the tests at the top do, but (for eth0 only, and only when rebooting) control comes through to the call to need_config. need_config looks like this:
CONFIG="ifcfg-${1}" [ -f "${CONFIG}" ] && return CONFIG="${1}" [ -f "${CONFIG}" ] && return local addr=`get_hwaddr ${1}` if [ -n "$addr" ]; then local nconfig=`get_config_by_hwaddr ${addr}` if [ -n "$nconfig" ] ; then CONFIG=$nconfig [ -f "${CONFIG}" ] && return fi fi
So CONFIG gets changed from "ifcfg-moors" (which is what it was to start with) to "eth0" - and there is no such file (nor an ifcfg-eth0) in /etc/sysconfig/network-scripts.

I have "fixed" the problem by adding a line to the top of need_config:
[ -f "${CONFIG}" ] && return
but this is the ravings on someone who doesn't really know what is going on!

Helpful suggestions welcome.

Adding a second Internet connection - part 2

2009-03-05T16:52:00.000Z

Now I have routing working properly on my new router, I took the opportunity to move it onto eth0 (my firewalled, "dirty" interface).

First, I set up a new aliased ethernet port on the Linux box, using the Gnome System Settings/Network tool. I gave this IP address 192.168.0.1 (no default gateway).

Then I connected to the new router, and changed its IP address to 192.168.0.250. I physically moved it onto the eth0 network. Finally I telnetted to it and set up its own routes, as follows:
D-Link> ip route addrom index 1 D-Link> ip route addrom name gbit D-Link> ip route addrom set 192.168.3.0/24 192.168.0.1 1 D-Link> ip route addrom save ip route addrom: save ok D-Link> ip route addrom index 2 D-Link> ip route addrom name mbit D-Link> ip route addrom set 192.168.1.0/24 192.168.0.1 1 D-Link> ip route addrom save ip route addrom: save ok D-Link> ip route addrom index 3 D-Link> ip route addrom name dirty D-Link> ip route addrom set 192.168.2.0/24 192.168.0.1 1 D-Link> ip route addrom save ip route addrom: save ok
This set up the following static routes:
Dest FF Len Device Gateway Metric stat Timer Use RN 192.168.0.0 00 24 enet0 192.168.0.250 1 041b 0 1150 192.168.1.0 00 24 enet0 192.168.0.1 1 001b 0 0 192.168.2.0 00 24 enet0 192.168.0.1 1 001b 0 0 192.168.3.0 00 24 enet0 192.168.0.1 1 001b 0 445
Then I altered the routes on the Linux box as follows:
ip route add 192.168.2.0/24 dev eth0 src 192.168.2.1 table ISP1 ip route add default via 192.168.2.5 table ISP1 ip route add 192.168.0.0/24 dev eth0 src 192.168.0.1 table ISP2 ip route add default via 192.168.0.250 table ISP2 ip route add 192.168.2.0/24 dev eth0 src 192.168.2.1 ip route add default via 192.168.2.5 ip rule add from 192.168.2.1 table ISP1 ip rule add from 192.168.0.1 table ISP2
I also set up static routes for some IP addresses I wanted to reach via one or other ISP (e.g. their DNS servers).

That all works - I can connect in from outside via either of the two routers (I have set up identical NAT mappings on both). I can easily switch to the secondary router like this:
ip route del default ip route add default via 192.168.0.250
I am now considering load balancing between the two routers. I think the commands to do this would be:
ip route del default ip route add default scope global nexthop via 192.168.2.5 dev eth0 weight 6 nexthop via 192.168.0.250 dev eth0 weight 1

Adding a second Internet connection

2009-02-19T09:26:00.000Z

I have just installed a second ADSL connection, intending it to be a backup in case the first one goes down. This comes with a DSL-2640R NAT router (including firewall).

My existing network is somewhat complicated - at its heart is a CentOS 4 Linux box from Tranquil PC, with three network cards, which routes between the three networks.

My existing ADSL router is on eth0 (192.168.2.1) at 192.168.2.5.
I have a 100 Mbit network on eth1 (192.168.1.1)
I have a Gbit network on eth2 (192.168.3.1)

Although I want untimately to set up load sharing and automatic failover, to start with I just wanted everything to work, viz:

All machines on the network to have access to the Internet, and all other machines (including both ADSL routers).
To be able to connect to the Linux box from outside, via either Internet connection.

The first thing I did was to assign the new DSL-2640R router IP address 192.168.1.250, turn off DHCP (so it didn't conflict with the existing DHCP server) and add it to the network on eth1. I originally tried to put it on the same network as the existing router, but I don't understand how it would be possible to distinguish outside traffic coming in via the two routers unless they were on separate interfaces. It may be worth trying a virtual interface here.

Allowing the router to see the other networks

Now I could see the DSL-2640R from the Linux box, but not from either of the other networks (as the DSL-2640R did not have a setting for default gateway on its LAN side, so it couldn't find a route back to the other networks).

I first tried setting up NAT on the Linux box for the eth0 interface, by editing /etc/sysconfig/iptables as follows:
*nat :PREROUTING ACCEPT [39:3410] :POSTROUTING ACCEPT [33:2787] :OUTPUT ACCEPT [10:677] -A POSTROUTING -d 192.168.1.250 -o eth0 -j MASQUERADE COMMIT
That enabled me to see the web interface of the DSL-2640R from anywhere on my network, but did not allow incoming traffic from the router to see the rest of my network.

I discovered that the router has a telnet interface, which shows the following help (once you have logged in and typed "help"):
Valid commands are: sys exit ether wan ip bridge dot1q pktqos show set lan
Although I couldn't find any documentation for this interface, it looked remarkably familiar to the one on my ZyXel Prestige 660HW, for which I did have documentation.

I therefore set up two static routes in rom (so they survive a reboot), as follows:
D-Link> ip route addrom index 1 D-Link> ip route addrom name gbit D-Link> ip route addrom set 192.168.3.0/24 192.168.1.1 1 D-Link> ip route addrom save ip route addrom: save ok D-Link> ip route addrom index 2 D-Link> ip route addrom name dirty D-Link> ip route addrom set 192.168.2.0/24 192.168.1.1 1 D-Link> ip route addrom save ip route addrom: save ok
That worked fine, so I reverted iptables to its original state.

Enabling incoming traffic

The next step was to enable incoming traffic from the DSL-2640R. I first opened up the necessary ports in the DSL-2640R's NAT setup, redirecting them all to the Linux box on 192.168.1.1. That allowed the incoming traffic, but the Linux box couldn't reply, because its default route back was via the original ADSL router at 192.168.2.5. Having read an article at http://lartc.org/howto/lartc.rpdb.multiple-links.html, I amended the routing tables on the Linux box. I first added two new tables to /etc/iproute2/rt_tables


200 ISP1
201 ISP2

Then added routes to these tables:


ip route add 192.168.2.0/24 dev eth0 src 192.168.2.1 table ISP1
ip route add default via 192.168.2.5 table ISP1

ip route add 192.168.1.0/24 dev eth0 src 192.168.1.1 table ISP2
ip route add default via 192.168.1.250 table ISP2

ip route add 192.168.2.0/24 dev eth0 src 192.168.2.1
ip route add default via 192.168.2.5

ip rule add from 192.168.2.1 table ISP1
ip rule add from 192.168.1.1 table ISP2

I don't fully understand how all this works (and I would be grateful if anyone explains it to me), but it does seem to.

Switching between the two Internet connections

The next step is to allow switching the default gateway between the two routers (in case the primary one goes down). This is done using a couple of scripts:


# Switch to new Internet connection
ip route del default
ip route add default via 192.168.1.250


#Switch to original Internet connection
ip route del default
ip route add default via 192.168.2.5

That works too - I may set this up to switch automatically, or to load balance, but I think I've done enough for now.

Debugging PHP using Eclipse and DBG

2008-07-15T18:20:00.000+01:00

I've recently got back in to writing PHP code, and decided I would like to use an IDE with integrated debugger, like I am used to with C, C++, C#, Java and other languages.

Having reviewed the available IDEs that support PHP, I chose Eclipse - mostly because it supports a variety of languages, and I wanted to see if it was as good as people said.

I installed Eclipse from www.eclipse.org onto a Windows XP machine. Then I installed PHPeclipse from www.phpeclipse.net.

I then installed the DBG PHP debugger from dd.cron.ru/dbg/onto my Linux server.

I had some difficulty getting debugging to work. Firstly, I had to update PHPeclipse from the nightly build (this is done in Help, Software Updates), and make sure only DBG support was included (only one debugger is allowed to be installed at a time). Secondly, I found remote debugging did not work at all - all attempts to debug gave the message "failed to establish connection to client host on localhost:10001".

It turns out that DBG requires HTTP_SERVER_VARS to be set in order to find out the IP address of the machine running Eclipse, but CentOS 5 disables this variable by default. The solution was to addregister_long_arrays On to php.ini to re-enable the variable.

It is a little too early to give my impressions of Eclipse - I haven't really found my way about it properly yet. But debugging PHP now (mostly) works, and that in itself is really useful.

Running Xen Virtual Machines full screen

2008-04-29T15:20:00.000+01:00

I'm playing with running Windows in a Xen VM, with Centos 5 as the host O/S. One of the things I want to do is for the VM to appear exactly as it would if it was the native O/S - to do that, it has to take up the whole screen. The Xen virtual machine console does have a Full Screen option on its View menu, but it definitely does not do what it says on the tin!

I have solved this problem - what I do is to start an X Window server on another virtual screen as display 1, with its only client vncviewer running in full screen mode.

The command line I used was startx /usr/bin/vncviewer -FullScreen -MenuKey F12 localhost:1 -- :1. This starts an X session on display :1 (the one you see if you press Ctrl-Alt-F8), running vncviewer full screen with the VNC menu key set to F12, connecting to VM 1. You can then switch back to your host O/S display with Ctrl-Alt-F7

By the way, I have discovered a very useful Xen VM option (which should, IMHO, be the default for Windows VMs) - usbdevice = 'tablet'. This makes Windows think it has a USB graphics tablet, so the mouse cursor tracks the mouse cursor in the VNC viewer exactly. Without this you end up in the horrible situation of having Windows thinking the mouse cursor is in a different place to where you are pointing, and actually refusing to let you point at part of the screen.

CentOS 5 dual display

2008-04-29T11:00:00.000+01:00

I've just taken delivery of a nice Tranquil PC T2e with a 2GHz Intel Core 2 Duo T7200, 4GB of RAM, a 500 GB disk and a twin head graphics card.

I hope to set it up as a virtual PC platform, running my main development system (Windows XP Pro) in a virtual machine, test systems and various flavours of Linux in more virtuam machines.

I initially installed CentOS 5 with the Xen kernel to host the VMs.

However, I was struggling to get dual head working with the ATI Radeon HD 3450 graphics card in the machine - as soon as I used the GUI to tell X Windows to use dual head, X stopped working. Hacking xorg.conf to use the ati drivers that come with CentOS caused an error message that it can't find an ATI Mach 64 card. The proprietary drivers from ATI fail to load with undefined symbols.

I solved this problem by getting an older ATI Radeon X600 card - the standard radeon drivers that come with CentOS understood this card, and it was then simple to get it working.

Setting up the Tortoise SVN client

2008-04-08T11:27:00.000+01:00

I use the Subversion revision control system for all my development projects. It keeps a complete history of every change to every source file in each development project. As well as enabling me to determine exactly what source was used to build a particular version of a product, it also lets me find out what changes I made which introduced a problem or feature. Its branching and merging facilities make it possible for multiple developers to work on the same project without interfering with each other. But, as a friend on the CIX conferencing system once said, "a revision control system is vital for any projects with more than zero developers".

I also use Tortoise SVN as my Windows client for SVN. Here is how I set it up.

First download and install the latest Tortoise SVN. This will add itself into Windows Explorer, providing additional right-click options on files and folders. Now right-click on any folder, choose TortoiseSVN from the menu, and Settings from the sub-menu. You can change which of the many SVN options appear on the initial right-click menu, and which on the TortoiseSVN sub-menu in the "Look and Feel" section.

By default, Tortoise will check every folder on all your hard drives to see if they are SVN folders, and keep cached information about them. This can slow Windows Explorer a little if you have lots of folders. I keep all my SVN checked out sources in one of about 5 folders (one for each of my major customers, and one for my own development). You can tell Tortoise only to check these folders in the "Icon Overlays" section - untick all the "Drive Types" boxes, then add the paths to the "Include paths" box. Finish each path with "\*" (e.g. "C:\Development\*") to also include sub-folders.

If you use Tortoise to connect to report SVN repositories, you will usually use an "svn+ssh:user@domain/project/trunk" style of URL to tell Tortoise where to find the repository. If the repository's SSH server is on an unusual port (see Hacking SSH for details), you will need to configure ssh to use the port. To do this set up putty saved sessions for each of your SVN servers, using the appropriate user name, host name and port. Then use the saved session instead of a full username@domain - e.g. "svn+ssh:@savedsession/project/trunk".

I like to see the SVN revision number and status against all SVN files in Windows Explorer. To do this, display the folder in detail view, right click on the column headings at the top, choose "More...", and scroll down that list to the ones beginning SVN. Tick the ones you want (I like Status and Revision) and they will be included. You can then click on the Status column to sort your directory display with the modified files at the top.

Installing Putty to connect to a Linux box from Windows

2008-04-07T18:59:00.000+01:00

Putty is an implementation of an ssh client for Windows. It allows you to make a secure, encrypted connection to a Linux machine, and optionally to "tunnel" connections between your Windows and Linux machines so that network facilities on one machine can be used from the other one as if they were local.

First, obtain the full putty installer from http://www.chiark.greenend.org.uk/~sgtatham/putty/, and run it. Make sure you get the full installer, not the individual programs.

Now set up your private key - run puttygen, and click the Generate button. This will create a public-private key pair. Add a key comment - usually your email address. Save the key file somewhere safe on your local disk. Also copy the public key string by highlighting it, right clicking, and choosing copy. Email the public key to the administrator of the Linux machine (if that's you, see below!).

Once the administrator has added your public key to the authorized_keys file in the .ssh subdirectory of your home directory on the Linux box, you are ready to log in.

Open putty, and navigate to Connection/SSH/Auth in the tree on the left. Browse to wherever you placed the key file. Go back to Session in the tree. Click Default Settings in the list box, then click Save. That has installed your key as the default key for putty to use.

Now enter your user name and the address of the Linux box under Host Name - e.g. nikki@192.168.1.1. Type a memorable name for the connection in Saved Sessions, and click Save.

Now click the Open button - putty should connect to the Unix box, negotiate a secure connection with it, and present you with a shell window.

Troubleshooting

If the Linux end has not been set up correctly, you will get a password prompt from putty. You can enter your password, but this should not be necessary once everything is set up.

Linux setup

In the user's home directory (usually /home/username), create a directory called .ssh with permissions drwx------:

mkdir .ssh
chmod 700 .ssh

In that directory, create a file called authorized_keys with permissions -rw-r--r--, and place in it a single line containing the public key of the user who want's to log in. If the key was emailed to you, make sure the emailer hasn't word wrapped it into multiple lines. If more than one person wants to log in as this user (or the same person wants to log in from multiple machines), add each public key one per line.

Tunnels

A tunnel connects a port on your machine to a port on the Linux box (Local) or vice versa (Remote). An example of using a tunnel would be to control a MySQL Server on the Linux box from the Windows box using MySql Administrator. You open a tunnel from port 3306 on your Windows machine to 3306 on the Linux box, and MySQL Administrator thinks the MySQL server is running on your Windows machine.

Tunnels are set up in putty under Connection/SSH/Tunnels. Enter 3306 as the source port, and localhost:3306 as the destination port, and click Add. If you always want to do this, you can load your connection on the Session screen, make the change, then save it again.

Hacking SSH

Provided you have a secure login password and keep your private key private, SSH is very secure, except for one little gotcha. Some hackers have scripts which will search machines on the Internet to see if they have port 22 (the SSH port) open. When they find one, they attempt to login using a huge dictionary of login names and passwords. If the passwords on the box are secure, they don't get in. But every failed login attempt is written to a log file, and this can fill up all the disk space!

There are a number of ways to get round this, among which are setting SSH so it does not allow text passwords but insists on a known public-private key pair, and running SSH on a different port number.

If your Linux system administrator uses a different port number, then you need to enter it on the Session page (instead of port 22) before saving your session.

Installing a CentOS firewall & mail/web/file server

2008-04-07T18:44:00.000+01:00

Hardware

I bought a nice 1.5GHz Pentium box from Tranquil PC. It has a 250GB disk, and 3 Ethernet ports (one of which is Gigabit). It has no fans, and is almost completely silent (I can just about hear the hard disk running if I am within 1 metre of the box, on a quiet night).

Network

I have 3 networks in the 192.168 range. One is for the ADSL router and anyone borrowing my Internet connection (the unsafe network). I then have two internal company networks, a Gigabit one to my main work machine, and another for all the other machines and printers.

Software

I installed CentOS 4 Linux on it. Then I added Bill Shupp's Qmail Toaster to provide a complete email solution.

DNS

I have set up the BIND DNS server to provide 3 DNS views

Queries from the Internet return my fixed IP address for all public-facing host names.
Queries from my neighbours return local IP addresses for all public-facing host names, and for the ADSL router.
Queries from the unsafe network return local IP addresses for all public facing names, and also resolve names for every machine on all the networks.

This took a while to work out how to do. In the end, I subscribed to O'Reilly Network Safari Bookshelf which lets you read most of their publications online, and I read "DNS & BIND Cookbook" By Cricket Liu. This helped a lot, and is far more informative than the BIND manual. Here are the config files.

DHCP

I set up the DHCP server to provide DCHP addresses for all my networks. Fixed addresses are provided for most of the machines on the work networks. WPAD (Internet Explorer automatic proxy configuration information) is also provided, using a wpad.dat file on the web server. When it allocates a non-fixed address (for my work laptops, or for visitors), DHCP updates the work DNS zones. This means I can address any machine by name from within my work networks.

Web proxy

I set up the Squid web proxy to provide proxy services for all the internal networks.

File server

I set up Samba to provide a large backup directory for all my Windows machines on work networks only. For the main machine, connected via Gigabit Ethernet, this provides a very fast backup disk. I use Drive Snapshot to make backup images. I also use Unison run using the Windows scheduler to keep an additional backups of important files.

Mail server

Bill's qmail toaster talked me through installing qmail (an improved mail server), vpopmail (makes it easy to handle mail for more than one domain), courier-imap (IMAP and POP servers), SquirrelMail (webmail), SpamAssasin (anti-spam), Clam anti-virus, and a few other bits and pieces to glue it together. I also use fetchmail to collect my trumphurst.com email from SpamCop and feed it into the system. SpamCop does detect and trash about 2000 spam emails sent to my trumphurst.com addresses each day, but it still lets through a hundred or so. I use the Bayesian filters in SpamAssasin to get rid of these.

LogWatch

CentOS comes with a program called LogWatch installed, which goes through the numerous log files generated daily by almost everything in Linux, and emails the root user with a summary of the important stuff. This works really well, except that the the version of LogWatch installed with CentOS doesn't cope well with the multilog log file output favoured by qmail. Upgrading to the latest version from logwatch.org fixes this (and quite a few other minor inconveniences).

Webmin

I did toy with webmin, but I found it didn't work well with my virtual server setup in Apache, it didn't seem to understand the views I set up in BIND, and I generally felt it wasn't sufficiently flexible to cope with my requirements.