Now on a 32-bit VM

One of the dirty little secrets of 64 bit computing is that it greatly impacts memory usage.  For the past year I’ve been hosting this blog and some other software on a 256MB 64 bit slice.  Getting a LAMP stack to run in 256MB is certainly possible.  When I started in this biz a decade ago that was a healthy amount of RAM.  However, when you run a 64 bit VM, memory does tend to be hard to come by.

The reason is really simple.  On a 64 bit processor your standard unit of data is twice as large as on a 32 bit processor.  This means that oftentimes you are using 64 bits of data to store a number that would fit just fine in 32 bits.  It’s possible to use smaller amounts, but most programs just tend to use the default machine “word” size.  So 64 bit programs tend to use A LOT more ram.

Tonight I “downgraded” my VM from a 64 bit VM to one of SliceHost’s new 32 bit VMs.  It couldn’t have been simpler.  I tar’ed up the source code, mysqldump’ed the database, copied those backups offsite and told SliceHost to rebuild the server.  When I brought the server back up I configured the database passwords, installed a couple packages, set up a couple virtual hosts, and restored my backups, and we’re back in business.   It was all ready by half time of the Lakers/Suns game, which means it probably took about an hour.

VAIO smart network, not so smart

This is actually a Windows problem, but since I don’t run a Windows blog this rant goes here.  My wife’s Sony VAIO laptop has not had wireless networking for two days.  Today I figured out why and it was pretty frustrating.

The problem first occured the other day when one of the children did “something” to the laptop and the wireless networking had not worked since.  So the first thing I checked was the little slider switch on the front of the laptop.  That would have been an obvious cause of the problem.  Unfortunately, everything was fine with the switch.  I checked the windows device manager and it said the wireless adapter was functioning just fine.  I couldn’t figure out why the little green LED on the front of the laptop would not indicate wireless networking was on.

I’ve had miserable experiences with Vista wireless networking, so the next thing I tried was to power down the laptop, remove the battery, and leave it overnight to discharge any internal circuitry that may stay charged for a period of time.  The next day it still would not work.

Next I plugged the laptop into a wired network and installed the latest antivirus updates and then the latest windows updates.  I didn’t really think these would fix it, but at this point I was baffled.

Finally, I went to Google and found my problem.  The VAIO, like many laptops, has it’s own redundant dashboard software for managing a number of the laptop functions.  The standard windows dialogs all thought everything was on and running, but the VAIO specific “smart network” was not on.  I re-enabled WLAN in “smart network” and everything worked great.

I don’t know if there is a reason that vendors seem to ship redundant dashboards with their machines.  I’m really quite tired of it, though.  Either windows power management & wireless networking needs to be disabled or these redundant tools need to go away.  One way or the other, though, I need to be able to check a single spot to determine whether the network is on.

Virtualization for consultants

Virtualization has really taken off over the last couple of years.  One of the sites I work on is hosted on a virtual machine over at SliceHost (they’re excellent BTW).

A company I was with a few years back has switched their whole development environment to be fully automated VMs.  They can create a new clone of a VM and fire up a clean copy in a matter of minutes.

In my consulting work I’ve stumbled onto a problem that virtualization solves wonderfully.  The problem is this: small clients never have a development server for me to work on.  Many clients would prefer that I just develop directly on their production machine.  My position, however, is that I will never write/debug code on a production server, even if your site gets practically zero traffic.  It’s just a matter of priniciple.  What’s more, if you ever want to be a big site, you should make sure that your site isn’t down with errors all day long while people are coding up the next version.

What I did when I first started consulting was grab an old PC that I had snatched up at a surplus sale for $10 and loaded Linux on it.  When I started work with a new client I could usually configure a LAMP stack in less than an hour for the peculiarities of that client and then I’d be in business.  Of course, if I wanted to juggle multiple clients I had to use shell scripts to swap out the apache/php configs.

Then one day I decided to give virtualization a try.  It is absolutely fabulous!  I upgraded my little $10 machine with a 300 Gig hard drive, and set up a VM for each client on it.  Each client can have 10-20 gigs.  If I ever outgrow my 300 Gig drive it will be a no brainer to go grab a terabyte drive for whatever ridiculously cheap price they’re selling for and I’ll have plenty of room to grow.

Now if I want to switch from my VentureReturns VM to my HumanServicesHQ VM, I simply issue the following command.

xm shutdown vr -w;xm create hshq -c

Back on my desktop machine I just switch eclipse from one workspace to another and within about a minute I’m ready to work on an entirely different platform.  How cool is that!

Now with captchas!

The last day or two somebody found the blog and started spamming the comments section.  All the emails for comment approval started to become a distraction.  So this morning I’ve enabled reCAPTCHA on LinuxGems.

There is a reCAPTCHA plugin for wordpress that makes the captchas a snap to set up.  It probably took about 5 minutes including signing up at recaptcha.net.

If you’re not familiar with reCAPTCHA, they are a bit different from some of the other captchas out there.  reCAPTCHA uses a pair of words.  One of which is a known word and one of which is a word that failed OCR.  To pass the captcha test the user has to get the known word right.

The second word, the one that failed OCR, is actually text from older literature that needs digitizing.  So using reCAPTCHA is a bit of a public service.  When a statistically significant group of people put the same value for a given word then reCAPTCHA knows that they have figured out what the word was.

Slick stuff.

SSH Port forwarding

Do you have ssh access to your office network, but you need http access. Here is a way to tunnel your traffic over the secure connection to your office web server. Now you can surf the office Intranet from home!

Don’t try this without getting permission first!! Your employer might not have understood how much access they had given you when they gave you that ssh login.The feature that you need to use is called port forwarding. The idea is that your local ssh program captures traffic to a port on your machine on forwards it to a machine (any machine) on the other side of the connection.

For example, I could forward port 8080 on 127.0.0.1 to go to intranet.mycompaniesinternalnetwork.com port 80. Pretty cool eh. Again, as I mentioned at the top, whoever granted you ssh access probably didn’t realize that you can forward everything else once you log in. Make sure they understand what you intend to do!

First, in the home directory of the machine you are connection from create/edit a file named ~/.ssh/config. This file will specify what ports to listen to and what machines to forward them to. Lets pretend we want to ssh into a machine will nickname ted. Here is an example ~/.ssh/config file that connections for firewall.mycompaniesinternalnetwork.com and then starts forwarding port 8080 of your machine:

host ted
hostname firewall.mycompaniesinternalnetwork.com
localforward 8080:intranet.mycompaniesinternalnetwork.com:80

That’s all it takes! The connection only works when you are ssh’d in to the remote machine. So to test it you would run

ssh ted

and then once you logged in you could point your browser to http://127.0.0.1:8080/ to go to http://intranet.mycompaniesinternalnetwork.com/But wait! We can do one better. Rather than referring always using 127.0.0.1 we can add a entry to our /etc/hosts file to make intranet.mycompaniesinternalnetwork.com always resolve to 127.0.0.1. That entry would look like this:

127.0.0.1   intranet.mycompaniesinternalnetwork.com

Now, we can connect to http://intranet.mycompaniesinternalnetwork.com:8080/ and its just like connecting to port 80 of the real site. (It ultimately does, after all.) In case you are curious, only root can configure your local machine to accept connections on low numbered (so called well-known) ports. That is the reason for the 8080 port number.

Blocking all traffic to an outbound IP

Normally I would say that blocking an outbound IP is pointless since there are billions of different IP’s that your users can go to. However, today Versign pointed *.com, *.net at themselves for a search page that they intend to derive revenue from. Since they are not the legal owners of *.com and *.net (rather they are stewards over it) they have no business doing this.

Note:Since this article was originally posted Verisign has returned the *.com and *.net space back to their correct behavior. Nevertheless, iptables are good to know so I’ll leave this article on the site

To make matters there is a Web bug pasted on the page which is no doubt recording what domains are valuable, probably so that Verisign can turn around and sell those domains at a higher rate.

Then there is the spam. I got 200 peices of spam in one day today. Thats double the normal rate. My ISP must have been filtering them out before, but now all my spam has these bogus domains in the email envolope.

Finally, my registrar godaddy.com does not appear to have been ready for this which is probably costing them a great deal of money. This rubs me the wrong way just enouigh that I’m going to block the only outbound IP I’ve ever blocked.

I’ve always deplored cybersquatters and this cybersquatting to the extreme. So, I can’t do much about Versign’s actions, but I can keep anybody on my little network from being sucked into this garbage. The ip we are seeking to block is 64.94.110.11. Just for fun we’ll pretend that it is a 32 bit network address and a 0 bit host.

So, how do we block an outbound IP. Depending on your linux version you are probably running IP Chains or IP tables.

For IP Chains the statement is

/sbin/ipchains -I output -d 64.94.110.11/32 -j REJECT

for iptables it should be something like

/sbin/iptables -I OUTPUT -d 64.94.110.11/32 -j REJECT

Test out a few of your common destinations, test a bogus destination, and if that works then add the appropriate line to your system start up.

Quick and easy htpasswd restricted access

Ever wondered how to password protect a directory on your web server. This article will explain how its done.

I should warn the htpasswd files are quite insecure. If you are also using https then you should be fine, but with normal http your username & password are transmitted over the Internet in the clear. So in addition to these steps you’ll want to take others to really secure your site.

  1. Create a .htpasswd file and add its first user. This can go anywhere you like. I put mine in the actual directory I want to secure. The command might be
     htpasswd -c /foodotcom/restricted/.htpasswd adminuser
  2. Create a directory section for your secured directory
     <directory /foodotcom/restricted/> AuthType Basic AuthName "Whatever you want to appear in the dialog box" AuthUserFile [path to your .htpasswd file from step 1] require valid-user </directory>
  3. Test the new apache config to make sure it is valid syntax.
     apachectl checkconfig
  4. Restart apache
     apachectl restart