Tuesday, 29 April 2008

Running Xen Virtual Machines full screen

I'm playing with running Windows in a Xen VM, with Centos 5 as the host O/S. One of the things I want to do is for the VM to appear exactly as it would if it was the native O/S - to do that, it has to take up the whole screen. The Xen virtual machine console does have a Full Screen option on its View menu, but it definitely does not do what it says on the tin!


I have solved this problem - what I do is to start an X Window server on another virtual screen as display 1, with its only client vncviewer running in full screen mode.


The command line I used was
startx /usr/bin/vncviewer -FullScreen -MenuKey F12 localhost:1 -- :1
. This starts an X session on display :1 (the one you see if you press Ctrl-Alt-F8), running vncviewer full screen with the VNC menu key set to F12, connecting to VM 1. You can then switch back to your host O/S display with Ctrl-Alt-F7


By the way, I have discovered a very useful Xen VM option (which should, IMHO, be the default for Windows VMs) - usbdevice = 'tablet'. This makes Windows think it has a USB graphics tablet, so the mouse cursor tracks the mouse cursor in the VNC viewer exactly. Without this you end up in the horrible situation of having Windows thinking the mouse cursor is in a different place to where you are pointing, and actually refusing to let you point at part of the screen.

CentOS 5 dual display

I've just taken delivery of a nice Tranquil PC T2e with a 2GHz Intel Core 2 Duo T7200, 4GB of RAM, a 500 GB disk and a twin head graphics card.


I hope to set it up as a virtual PC platform, running my main development system (Windows XP Pro) in a virtual machine, test systems and various flavours of Linux in more virtuam machines.


I initially installed CentOS 5 with the Xen kernel to host the VMs.


However, I was struggling to get dual head working with the ATI Radeon HD 3450 graphics card in the machine - as soon as I used the GUI to tell X Windows to use dual head, X stopped working. Hacking xorg.conf to use the ati drivers that come with CentOS caused an error message that it can't find an ATI Mach 64 card. The proprietary drivers from ATI fail to load with undefined symbols.


I solved this problem by getting an older ATI Radeon X600 card - the standard radeon drivers that come with CentOS understood this card, and it was then simple to get it working.

Tuesday, 8 April 2008

Setting up the Tortoise SVN client

I use the Subversion revision control system for all my development projects. It keeps a complete history of every change to every source file in each development project. As well as enabling me to determine exactly what source was used to build a particular version of a product, it also lets me find out what changes I made which introduced a problem or feature. Its branching and merging facilities make it possible for multiple developers to work on the same project without interfering with each other. But, as a friend on the CIX conferencing system once said, "a revision control system is vital for any projects with more than zero developers".


I also use Tortoise SVN as my Windows client for SVN. Here is how I set it up.


First download and install the latest Tortoise SVN. This will add itself into Windows Explorer, providing additional right-click options on files and folders. Now right-click on any folder, choose TortoiseSVN from the menu, and Settings from the sub-menu. You can change which of the many SVN options appear on the initial right-click menu, and which on the TortoiseSVN sub-menu in the "Look and Feel" section.


By default, Tortoise will check every folder on all your hard drives to see if they are SVN folders, and keep cached information about them. This can slow Windows Explorer a little if you have lots of folders. I keep all my SVN checked out sources in one of about 5 folders (one for each of my major customers, and one for my own development). You can tell Tortoise only to check these folders in the "Icon Overlays" section - untick all the "Drive Types" boxes, then add the paths to the "Include paths" box. Finish each path with "\*" (e.g. "C:\Development\*") to also include sub-folders.


If you use Tortoise to connect to report SVN repositories, you will usually use an "svn+ssh:user@domain/project/trunk" style of URL to tell Tortoise where to find the repository. If the repository's SSH server is on an unusual port (see Hacking SSH for details), you will need to configure ssh to use the port. To do this set up putty saved sessions for each of your SVN servers, using the appropriate user name, host name and port. Then use the saved session instead of a full username@domain - e.g. "svn+ssh:@savedsession/project/trunk".


I like to see the SVN revision number and status against all SVN files in Windows Explorer. To do this, display the folder in detail view, right click on the column headings at the top, choose "More...", and scroll down that list to the ones beginning SVN. Tick the ones you want (I like Status and Revision) and they will be included. You can then click on the Status column to sort your directory display with the modified files at the top.

Monday, 7 April 2008

Installing Putty to connect to a Linux box from Windows

Putty is an implementation of an ssh client for Windows. It allows you to make a secure, encrypted connection to a Linux machine, and optionally to "tunnel" connections between your Windows and Linux machines so that network facilities on one machine can be used from the other one as if they were local.


First, obtain the full putty installer from http://www.chiark.greenend.org.uk/~sgtatham/putty/, and run it. Make sure you get the full installer, not the individual programs.


Now set up your private key - run puttygen, and click the Generate button. This will create a public-private key pair. Add a key comment - usually your email address. Save the key file somewhere safe on your local disk. Also copy the public key string by highlighting it, right clicking, and choosing copy. Email the public key to the administrator of the Linux machine (if that's you, see below!).


Once the administrator has added your public key to the authorized_keys file in the .ssh subdirectory of your home directory on the Linux box, you are ready to log in.


Open putty, and navigate to Connection/SSH/Auth in the tree on the left. Browse to wherever you placed the key file. Go back to Session in the tree. Click Default Settings in the list box, then click Save. That has installed your key as the default key for putty to use.


Now enter your user name and the address of the Linux box under Host Name - e.g. nikki@192.168.1.1. Type a memorable name for the connection in Saved Sessions, and click Save.


Now click the Open button - putty should connect to the Unix box, negotiate a secure connection with it, and present you with a shell window.

Troubleshooting


If the Linux end has not been set up correctly, you will get a password prompt from putty. You can enter your password, but this should not be necessary once everything is set up.


Linux setup


In the user's home directory (usually /home/username), create a directory called .ssh with permissions drwx------:


mkdir .ssh
chmod 700 .ssh

In that directory, create a file called authorized_keys with permissions -rw-r--r--, and place in it a single line containing the public key of the user who want's to log in. If the key was emailed to you, make sure the emailer hasn't word wrapped it into multiple lines. If more than one person wants to log in as this user (or the same person wants to log in from multiple machines), add each public key one per line.


Tunnels


A tunnel connects a port on your machine to a port on the Linux box (Local) or vice versa (Remote). An example of using a tunnel would be to control a MySQL Server on the Linux box from the Windows box using MySql Administrator. You open a tunnel from port 3306 on your Windows machine to 3306 on the Linux box, and MySQL Administrator thinks the MySQL server is running on your Windows machine.


Tunnels are set up in putty under Connection/SSH/Tunnels. Enter 3306 as the source port, and localhost:3306 as the destination port, and click Add. If you always want to do this, you can load your connection on the Session screen, make the change, then save it again.


Hacking SSH


Provided you have a secure login password and keep your private key private, SSH is very secure, except for one little gotcha. Some hackers have scripts which will search machines on the Internet to see if they have port 22 (the SSH port) open. When they find one, they attempt to login using a huge dictionary of login names and passwords. If the passwords on the box are secure, they don't get in. But every failed login attempt is written to a log file, and this can fill up all the disk space!


There are a number of ways to get round this, among which are setting SSH so it does not allow text passwords but insists on a known public-private key pair, and running SSH on a different port number.


If your Linux system administrator uses a different port number, then you need to enter it on the Session page (instead of port 22) before saving your session.

Installing a CentOS firewall & mail/web/file server

Hardware


I bought a nice 1.5GHz Pentium box from Tranquil PC. It has a 250GB disk, and 3 Ethernet ports (one of which is Gigabit). It has no fans, and is almost completely silent (I can just about hear the hard disk running if I am within 1 metre of the box, on a quiet night).

Network


I have 3 networks in the 192.168 range. One is for the ADSL router and anyone borrowing my Internet connection (the unsafe network). I then have two internal company networks, a Gigabit one to my main work machine, and another for all the other machines and printers.


Software


I installed CentOS 4 Linux on it. Then I added Bill Shupp's Qmail Toaster to provide a complete email solution.

DNS


I have set up the BIND DNS server to provide 3 DNS views

  • Queries from the Internet return my fixed IP address for all public-facing host names.
  • Queries from my neighbours return local IP addresses for all public-facing host names, and for the ADSL router.
  • Queries from the unsafe network return local IP addresses for all public facing names, and also resolve names for every machine on all the networks.

This took a while to work out how to do. In the end, I subscribed to O'Reilly Network Safari Bookshelf which lets you read most of their publications online, and I read "DNS & BIND Cookbook" By Cricket Liu. This helped a lot, and is far more informative than the BIND manual. Here are the config files.

DHCP


I set up the DHCP server to provide DCHP addresses for all my networks. Fixed addresses are provided for most of the machines on the work networks. WPAD (Internet Explorer automatic proxy configuration information) is also provided, using a wpad.dat file on the web server. When it allocates a non-fixed address (for my work laptops, or for visitors), DHCP updates the work DNS zones. This means I can address any machine by name from within my work networks.

Web proxy


I set up the Squid web proxy to provide proxy services for all the internal networks.

File server


I set up Samba to provide a large backup directory for all my Windows machines on work networks only. For the main machine, connected via Gigabit Ethernet, this provides a very fast backup disk. I use Drive Snapshot to make backup images. I also use Unison run using the Windows scheduler to keep an additional backups of important files.

Mail server


Bill's qmail toaster talked me through installing qmail (an improved mail server), vpopmail (makes it easy to handle mail for more than one domain), courier-imap (IMAP and POP servers), SquirrelMail (webmail), SpamAssasin (anti-spam), Clam anti-virus, and a few other bits and pieces to glue it together. I also use fetchmail to collect my trumphurst.com email from SpamCop and feed it into the system. SpamCop does detect and trash about 2000 spam emails sent to my trumphurst.com addresses each day, but it still lets through a hundred or so. I use the Bayesian filters in SpamAssasin to get rid of these.

LogWatch


CentOS comes with a program called LogWatch installed, which goes through the numerous log files generated daily by almost everything in Linux, and emails the root user with a summary of the important stuff. This works really well, except that the the version of LogWatch installed with CentOS doesn't cope well with the multilog log file output favoured by qmail. Upgrading to the latest version from logwatch.org fixes this (and quite a few other minor inconveniences).

Webmin


I did toy with webmin, but I found it didn't work well with my virtual server setup in Apache, it didn't seem to understand the views I set up in BIND, and I generally felt it wasn't sufficiently flexible to cope with my requirements.