ESXi: Starting A Host From The Command-Line

 Computing, Working Notes  No Responses »
Dec 122010
 

I recently had cause to restart a virtual machine on my ESXi host, but my usual method of firing up my Windows 7 machine and using the graphical manager was unavailable.

Fortunately the relevant instructions were obtainable from the http://vm-help.com/ site …

Firstly log into the ESXi host itself (which you previously have to enable), and run :-

vim-cmd vmsvc/getallvms

To obtain a list of the current virtual machines. Find the one you want to restart and find the ID for it in the first column. Use this in the following commands :-

vim-cmd vmsvc/power.reboot ${vmid}

This requires the vmware tools installed on the virtual machine, and for the tools to be running (i.e. the virtual machine needs to be reasonably healthy). If this is not the case, you will need to do the equivalent of hitting the reset button :-

vim-cmd vmsvc/power.reset ${vmid}

And that’s it! A lot quicker than the GUI way, unless you happen to have that always running.

The WikiLeaks Conspiracy ?

 Computing, Media, Politics  2 Responses »
Dec 082010
 

If anyone has been following the news closely over the last few days, they will be aware of the attempt that the Swedish authorities are making to extradite Julian Assange to face an assortment of sex charges including rape. Even by itself, there is enough suspicion about the timing of this given previous history of the charges to cause any neutral observer to wonder just what is going on here.

For those who have not dug into the details, the charges were first investigated in August 2010 and then dropped before being re-opened. All the while Julian Assange was either in Sweden, or willing to talk to the prosecutor although not prepared to travel to Sweden at his own expense. The escalation to a request for extradition was unfortunately timed happening at the same time as the latest WikiLeaks (linking to a mirror as the main site is mysteriously down) publications.

By itself it is just about enough to cause a sensible to person to say to themselves … “I wonder … Nah!”, but there are other things happening to WikiLeaks.

WikiLeaks appears to be under a continual distributed denial of service attack where many computers are used to send traffic to the WikiLeak servers. There are two sets of servers involved in hosting the WikiLeaks sites – the actual web servers themselves, and the DNS servers hosting the name.

In the case of the web servers, the servers were first moved to the Amazon cloud service in the middle of a denial of service attack – so Amazon can hardly complain about this as it was known about at the time. Yet after less than a week, the site was booted off the Amazon cloud without a public explanation. The suspicion is that political pressure was brought to bear especially given one of the earliest statements about the issue was from a certain Joseph Lieberman – a US Senator.

WikiLeaks then went to a French hosting company – OVH – who have stated that they will honour their contract. Presumably providing that the French courts do not insist that they terminate the contract, which is possible given that the case is under review.

Separately to this, the Wikileaks domain (or “name”) has itself been under attack. Large scale distributed denial of service attacks took place against the EveryDNS infrastructure servers that provide the name wikileaks.org, and every other name hosted by the same infrastructure. EveryDNS took the step of terminating their domain hosting. As of now, the domain wikileaks.org is not available via the DNS servers I run, indicating that either they have not found another hosting company for the name, or their alternative arrangements are under sufficiently serious attack.

Those are the technical attacks.

In addition, a number of financial companies have frozen WikiLeaks accounts preventing funds from being used, or donations being made – PayPal (who admit that their decision was influenced by the US Government) and Mastercard amongst them.

Add all the attacks together and you start to think that there is some kind of conspiracy behind all this – perhaps the US government is waging cyberwar against WikiLeaks. It is almost certain that they have this capability and there are indications that they are annoyed enough with WikiLeaks to do this.

However it is still more probable that this is a combination of :-

  1. Annoyed US (and possibly other) “hackers” making denial of service attacks against the WikiLeaks infrastructure and the associated infrastructure.
  2. Various commercial organisations deciding that it is too much hassle to “help” WikiLeaks and deciding to terminate their contracts.

Probably the harshest criticism should be directed at PayPal who have just said in a TV interview that they received advice from the US State Department that the WikiLeaks site was probably illegal under US law. Well the opinion of a government in a free society should not be enough to condem an organisation, and the directors of PayPal could deservedly be called chickenshit arse-lickers for their actions.

Perhaps you do not believe that WikiLeaks is in the right here. I’m not entirely sure myself – leaking US diplomatic cables is one thing, but perhaps publishing a list of potential targets the US government feels are critical to its security was a step too far. But there is a bigger issue here than “merely” WikiLeaks itself. We are seeing a situation where a website that has not been condemned for their actions in any court of law has been pushed around and to some extent off the Internet by the actions of a few – both people engaged in illegal activities (denial of service attacks) and people making commercial decisions (terminating contracts).

Imagine if you will, this website is something controversial in a country that is considered a pariah by most of the world – Iran perhaps; perhaps they publish allegations with evidence of widespread government crimes and corruption. Iran and supporters of Iran undertake to destroy that website with “cyberwarfare”. Wouldn’t we want that website to be protected in some way ? Perhaps you are thinking that Iran doesn’t have the resources to undertake such an attack; well think again. Many of the largest botnets capable of carrying out widespread denial of service attacks are under the control of organised criminals (spammers) who have less resources than any government – it takes little more than a spotty teenager in a basement to control tens of thousands of compromised machines and target whatever they like.

In such a situation, it would seem to make sense to provide a hosting service of last resort. Presumably a volunteer effort as it would have to be immune to commercial interests, and presumable massively parallel to ensure that there are many servers providing service so that a distributed denial of service attack would fail to hit everywhere.

Lastly, the US reaction to WikiLeaks seems to me to be a little over the top. And I am not talking about the lunatic fringe who are likely to jump and down screaming at the slightest criticism of the US, but at more respected figures. Some of the reactions verge on coming close to events such as the Fatwwā against Salman Rushdie way back in the 1980s.

For example :-

  • Jeffrey T Kuhner wrote in an editorial in the Washington Times that Julian Assange should be treated “the same way as other high-value terrorist targets” and be assassinated.
  • Gordon Liddy has suggested that Julian Assange should be added to a “kill list” of terrorists to be assassinated without trial.
  • Mitch McConnell has called Julian Assange a “high-tech terrorist”.
  • Newt Gingrich has stated “and Julian Assange is engaged in terrorism. He should be treated as an enemy combatant.”. Well it would be a start to treat any terrorist as an enemy combatant (the US doesn’t as enemy combatants have rights).

Calling for the assassination of Julian Assange is no better than a radical Islamist calling for the assassination of Salman Rushdie – we’re supposed to be better than the knuckle dragging fundamentalists frothing at the mouth. Seems that some in the US aren’t. A reminder to those people – we supposedly live in countries where the rule of law is supposed to be followed, and nobody has tried and convicted Julian Assange of anything in relation to WikiLeaks.

As for calling Julian Assange a terrorist, that is blatantly ridiculous. However annoyed you may be with him, none of his actions equate to driving a truck packed with explosives into a crowded shop entrance, or hijacking a plane and flying it into a large city killing thousands. Even if any information published by WikiLeaks has led to the death of anybody (and nobody has managed to demonstrate this – merely raised ill-founded concerns about the possibility), the responsibility for those deaths belongs to those carrying out the killings and not WikiLeaks. At most (in such circumstances), WikiLeaks might be guilty of incitement to murder – and in a much less obvious way than those calling for the head of Julian Assange to be delivered to them on a platter.

The US is beginning to look like the fool in all of this – their information security is a joke, and their reaction to their inability to keep secrets is to shoot the messenger in a way that makes them look no better than those rogue regimes they complain so much about.

The Move To ArchLinux

 Computing  No Responses »
Nov 202010
 

For some time now, I have been contemplating switching Linux distributions on my main workstation from Ubuntu to something a little less … user friendly ? Or perhaps that should be a little more Unix geek friendly. The distribution I chose was ArchLinux for a variety of reasons. If you come across this blog entry looking for a solution to a problem, it may be worth reading through in case the solution appears later on – this is long, and searches may “hit” on something later on.

First of all, let me point out there is really nothing wrong with Ubuntu for most users. It is a pretty useful distribution that is pretty good for the kind of users who have never compiled their own kernel. Nothing wrong with that, but it seems that Ubuntu is gradually becoming a little trickier to use for those of us who prefer to customise their desktop environment with something like Enlightenment – it seems that Ubuntu is really intended for those who want the Ubuntu way.

Nothing wrong with that, and I’m intending to keep running Ubuntu on my netbook. However I wanted a little more control for my main workstation. And what with an SSD to install as a new boot device, it seemed like a good time to try out ArchLinux especially as I could reboot into Ubuntu if things looked bad. As it happens I haven’t needed to do that! This blog entry is going to get quite long as a place to record my notes on getting ArchLinux to do the things I want, and will grow over time.

The Install

I downloaded the core install image rather than the net install image – not for any good reason as I have done test installs from the net install image and it works well. After installing the SSD into my workstation (stuck to the bottom of the case with duct tape – I should really get a 2.5->3.5″ disk tray), I changed the boot order of the disks in my BIOS to boot from the SSD first. This was perhaps not the best idea as it made things a little trickier later, but it’s workable if you are prepared to juggle disk names (both Linux ones and BIOS/Grub ones).

First for the boring bit :-

  1. Booted off the install CD
  2. Selected CD as source
  3. Set Europe/London as timezone
  4. Set hwclock as UTC
  5. Prep hard drives-
    1. Manually configure hard drives
    2. Partition /dev/sdc (the SSD – identified by the fact it was empty)
    3. Created 256Mb partition /dev/sdc1 (for /boot)
    4. Created partition with the rest of the space /dev/sdc2 as LVM
    5. Manually configure block devices
      1. By device name
      2. Created /boot on /dev/sdc1 as ext2
      3. /dev/sdc2 becomes Volume Group
      4. / as XFS (16G)
      5. /var as ResierFSS (4G)
      6. swap (4G) – Although I have a tendency to forget this one!
      7. /opt as XFS (4G)
      8. /tmp as ReiserFS (4G) – perhaps a bit too big.
  6. Select Packages
    1. Select Base + Development.
    2. Pick random additions that look like they might be useful (note that it may be necessary to pick all of the various mkinitcpio variations as I did that on the later attempts).
  7. Install Packages
  8. Configure System
    1. Select ‘vi’ as editor
    2. Made the following changes to rc.conf
      1. UseLVM=yes
      2. HOSTNAME=scrofula
      3. eth0=”eth0 10.0.0.18 netmask 255.255.0.0 broadcast 10.0.255.255′
      4. gateway=”default gw 10.0.0.254″
      5. ROUTES=(gateway)
    3. Made the following changes to mkinitcpio.conf
      1. BINARIES=”/sbin/lvm”. This shouldn’t be necessary, but at one point I ended up with a miniroot shell which was unable to mount the root filesystem and with no LVM present, I couldn’t see what was wrong! This error could be related to the raid problems detailed below, but adding this won’t cause any harm.
      2. HOOKS=”base udev autodetect scsi sata lvm2 filesystems”. Note that “raid” is suggested as necessary for software RAID; that turns out to be incorrect as discovered later. Although I needed software RAID to mount my /home, I left that for later after putting raid in here gave errors)
    4. Made the following changes to resolv.conf
      1. search inside.zonky.org
      2. nameserver 10.0.0.12
    5. Made the following changes to mirrorlist
      1. Select something from “Great Britain”.
    6. Set root password.
    7. Done
  9. Install Bootloader
    1. Grub
    2. Installed to /dev/sdc! This is because although the SSD is the third by address, it is also the first boot device in the BIOS.

This didn’t work the first time around. Firstly grub wasn’t setup properly as it wanted to boot the next stage from (hd2,0) which would be one of the hard disks rather than the SSD, as at this point the BIOS is still in charge (more or less). This was easily fixed on a temporary basis by editing the boot setting at the menu, and later on a more permanent basis by editing /boot/grub/menu.lst.

Secondly the first couple of times around, I found myself in what I term the “miniroot shell” which is the shell you get when the Linux install fails to mount the root filesystem. The only hint I had here was that a) it couldn’t mount the root filesystem, and b) the binary /bin/lvm was not present. On the third or fourth attempt (my notes aren’t sufficiently accurate) I managed to get past this stage by excluding the raid “hook” and including the /bin/lvm binary in the mkinitcpio configuration file.

It would seem that at some point ArchLinux has changed the “hook” name from raid to dmraid and some instructions out there still refer to the hook as “raid”. My fault for not checking closely enough with enough sources! But there’s no harm in the ArchLinux people configuring both names – probably just a case of setting up a hard link somewhere!

Post-Installation

With a distribution such as ArchLinux, the easy part is the installation; things get a bit trickier with the post-installation configuration. This is simply because to allow you to do things your way, it needs to leave things alone and let you do your stuff. In other words this lack of default configuration is a feature and not a bug!

The first thing to so after a core install (and probably a net install too) is to perform a full update :-

pacman -Suy

The “pacman” tool is of course the ArchLinux package management tool. This operation sits somewhere between a normal Ubuntu package upgrade and a full Ubuntu distribution upgrade. ArchLinux does not have distribution versions in the same way as Ubuntu – whilst the installation media is undoubtedly upgraded from time to time, once actually installed the command above will perform both upgrades to apply necessary fixes, and upgrade packages when new versions come out.

This can lead to some surprises from time to time of course, but there is also never quite the same level of shock that comes with a distribution upgrade.

In any case, I needed to run the command twice as pacman itself needed an upgrade.

After doing that, I set CONSOLEFONT in /etc/rc.conf to “sun12x22.psfu” to improve the appearance of the console, although there are another couple of fonts based on that font that may well be a better choice. Later I used the “consolefont” hook to set the console font at an earlier stage during the boot process – which is neater; however you should specify the font without the file extension – “sun12x22”, and of course add “consolefont” to the HOOKS variable in /etc/mkinitcpio.conf.

I also edited /boot/grub/menu.lst to change the line that specifies what kernel to load and it’s options :-

kernel /vmlinuz26 root=/dev/mapper/ssd-root ro vga=775

Specifically adding the “vga=775″ to the end of that. This makes the appearance of the console not quite so overwhelming on a 30” monitor!

Also added “dmraid” to the HOOKS variable in /etc/mkinitcpio.conf although reading more documentation hints that the right hook is actually “mdadm”. Run mkinitcpio -p kernel26 to update things.

Rebooted to verify that things are still working. Plus check that the CONSOLEFONT was ok, and that the old volume group:sys was visible.

Updated Spam Report

 Computing  No Responses »
Nov 182010
 

I have been running a script to do some basic statistics on the spam I receive for many years now, but I recently spotted that it wasn’t being updated. After having updated my workstation to ArchLinux, I spent a little time getting it to work again.

Incidentally the reason the spam report wasn’t being updated on the main website was that the script to collect it was trying to pick it up from a workstation that is now running OSX – it’s been that long since I checked it was working! However most of the time was spent getting it to work with Python 3, which has a few changes from Python 2 which makes very basic scripts likely to fail.

However it is now working again, so if you are still curious, you can read it here.

 Older Entries  Newer Entries