Thursday, August 16, 2012

Centos Minimal Install with Railo 4

I have been using Centos Minimal as a basis for a project for a while
now. I like it because it is small and light and very basic. There
is a small attack surface to it as the only thing it does by default
is allow SSH connections to it. If you are a total Centos Minimal
newbie, it will throw you for a loop. The problem is that the network
is not configured by default and the tools to configure it are not
installed by default. It is like buying a car with the keys locked
inside of it.

Well, not really. You can edit the network configuration (
/etc/sysconfig/network-scripts/ifcfg-eth0 ). A further note to Centos
newbies, nano is not installed by default either so you need to use
vi. For as much my own reference as for anyone who might bother
reading this, here are the settings I normally put in the ifcfg file:

DEVICE=eth0
IPADDR=10.10.10.80
NETMASK=255.255.255.0
GATEWAY=10.10.10.1
DNS1=8.8.8.8
ONBOOT="yes"

This is for a static IP configuration. If you need DHCP then the
config file is more like this:

DEVICE=eth0
BOOTPROTO="dhcp"
HWADDR=00:0C:41:22:33:44
ONBOOT="yes"

Once you have edited the file, save it and restart networking. I
usually use the service command like this: "service network restart"

Now networking should hopefully be up, if you are in a VM like
Virtualbox, be sure to set the network interface mode properly -- in
my case I set it to bridged so that I can use real IPs from my
network. You can test by doing yum update to get the system up to
date. At this point I install my services and tools I need. At least
I get wget, apache httpd, and php with "yum install wget httpd php".

For my project I need Railo (http://www.getrailo.org). Installing
Railo has gotten so much easier with the version 4 beta. To grab
Railo I use: "wget
http://www.getrailo.org/down.cfm?item=/railo/remote/download/4.0.0.013/tomcat/linux/railo-4.0.0.013-BETA2-linux-installer.run"
or you can trust me and use "wget http://bit.ly/P0vi2g". Make the
installer executable with "chmod +x
railo-4.0.0.013-BETA2-linux-installer.run" and then run it
"./railo-4.0.0.013-BETA2-linux-installer.run"

The wizard will ask you questions about your apache installation,
usernames, and passwords for your configuration. The defaults are
more or less sufficient, it is a good idea to run services with their
own service account and not root.

If you were to test the installation at this point, you would be
disappointed to find that it will not work. The reason is the
firewall installed by default blocks everything except SSH. You will
need to add some rules for the firewall to allow connections. Here is
my basic set of commands to open the firewall for httd and Railo:

iptables -I INPUT 2 -p tcp --dport 80 -j ACCEPT
iptables -I INPUT 2 -p tcp --dport 8888 -j ACCEPT
service iptables save
service iptables restart

The 8888 is the Tomcat management port set during the wizard. If you
made a change to that port then be sure to open the proper port in the
firewall. Some online documentation says to use the iptables -A
command to append the chain "INPUT", the problem with that is that it
will insert your rules below the "deny all" rule. As we all want the
rules we add to work, I Insert them (iptables -I) as the second rule.
This is rather harmless as it will push each subsequent rule down.

Before you mess with the iptables rules it might be wise to look them
over with "iptables -L -v" to be sure there are not important rules at
the top. When I set up firewall rules, if I am specifically blocking
something, I put that rule first and the last rule should be the "deny
all" rule. Say I am blocking a specific troublesome IP address, then
I would add the blocking rule to the first entry. This might be
"iptables -I INPUT 1 -s 211.144.68.163 -j DROP" or if I wanted to
block a troublesome network "iptables -I INPUT 1 -s 202.0.0.0/8 -j
DROP".

Good luck!

Friday, June 29, 2012

Adobe Flash is not dead, but it does not look good.

A while ago I blogged about Adobe's decision to "Open Source" Flex (
http://simple-webdesign.blogspot.com/2011/11/thanks-for-nothing-adobe.html
). The feeling at the time was that Adobe was teetering on the edge
of killing Flash. The adoption of other standards by Apple, Google
and even Microsoft served to shrink Adobe Flash's market. Then we
hear that Adobe is getting rid of the Android Flash plugin (
http://blogs.adobe.com/flashplayer/2012/06/flash-player-and-android-update.html
).

This is a good thing in the long run as Adobe has ruined Flash
entirely. This is impressive considering where Flash started, it was
the bane of dial-up users in the 90s and then a major security concern
of the 00s. Steve Jobs will be remembered for a lot of things, but I
think I will admire how he killed Flash by speaking the truth. It was
a brave thing to do, to say "Adobe has no clothes". They were part of
the complacent IT crowd that assumed technologies like Internet
Explorer, PDF, Desktops and Flash would be a part of our lives
forever. This is no longer the case.

Maybe this will let Adobe shrink and focus on what they do well,
making multimedia creation applications, and not things they never did
well such as drive web technologies. The Macromedia acquisition by
Adobe was a big, big mistake for everyone except the people who cashed
in on the stocks. Since then it has been a phenomenal loss. With the
death of Flash what is Adobe left with? They killed Freehand (it was
inferior to Illustrator anyhow). Adobe is left with Fireworks,
Dreamweaver and Coldfusion. What a mess. Adobe is primarily a
multimedia content creation company and they hold the *best*
closed-source web application server technology (meaning: better than
ASP as that is all that is left). I never liked Fireworks but on the
other hand I am a designer who can program so maybe I was not intended
to like it. I was Ok with Dreamweaver but it is hardly essential and
consider it strange that Flex/Flash Builder was based on the MUCH
better Eclipse, and not Dreamweaver. If they were going to charge
money for something why not leverage their own products. But that is
the dumb moves that got us to this point.

Adobe pushed Flash to be everything to everyone without considering
"should" they do something vs "can" they do something. They have the
same issue with PDF, so it comes as no surprise that I think PDF has
days that are numbered as well. All of this is too bad. Flash is
still a great animation platform, only for television and not the web.
For example the new Titmouse cartoon MotorCity (
http://peopleofmotorcity.tumblr.com/ ) is entirely Flash... or mostly
Flash as I assume a lot of the car/racing effects are 3d. Flash is an
important part of their workflow, a complete dissolution of Flash
would alter how they work. I like Flash for animation and drawing, it
is what I doodle in when I have the chance. The excellent Webcomics
of Humor Scientist Kris Straub ( http://krisstraub.com/ ) are done in
Flash.

I'd hope this only spells the doom of Flash the plug-in and not Flash
the vector animation and drawing package. I'd really hope for an open
source alternative to the drawing and animation functions of Flash but
that is because I'd like to use a new version of Flash on Linux
without Wine. If you know of such an open source application that is
as smooth as Flash for drawing and animating I'd love to hear about
it.

Wednesday, June 27, 2012

It has been 2 years, time for a XBOX Live problem

So 2 years ago this happened (
http://simple-webdesign.blogspot.com/2010/11/xbox-live-anguish.html ).
We had a big problem with XBox Live where Microsoft tried to charge
the automatic subscription fee to an expired card, when we bought a
gift card for our son to renew his subscription he couldn't because
the account was locked because they billed an expired card. Two years
ago, I sat on a phone for close to 8 hours for the opportunity to give
Microsoft money. It has been two years, the card the subscription
bills to is expired. Have they made things better?

No. Things are not better. The card expired and before the
subscription fee is due, we decided to update the card information
BEFORE it expires. Turns out you can't. The new card has the same
numbers as the old card with the exception of the expiration date and
the CVV2 code. For 10 hours my son and then wife tried to update the
card on the console. It would look like it took, but when you go back
into the billing area the number reverted to the expired card
information. I got home and did a few Google searches (I won't use
Bing!). Every XBox forum post link resulted in an ASPX error (nice
advertisement for the raw power of ASP!). Via Google cache, I was
able to get the real support page for XBox Live (
http://support.xbox.com/en-US/contact-us ) -- I was not able to find
that page otherwise, only a hell of pages that link to each other with
"trouble-shooting" information on them.

I tweeted to the XBox Live support account and got a few
back-and-forth tweets of moderate usefulness. The real help came in
the form of a agent on their chat system. The first time I went on
chat the page informed me that I would only have to wait about 3
minutes. I waited 45 minutes to get to number 2 in the queue only to
stay there another 35 minutes. I left and got back into chat and
spent another hour waiting for an agent. After going from 26th to
1st, I met Nichole (my second most favorite Microsoft employee,
EVER!). She had me do some things and in the end we had to cancel the
current subscription, she re-issued me "gift subscription" codes to
get back my remaining balance of time and then we had to resubscribe
to XBox Live with the gift accounts and then enter the new card.

Once again, I found myself putting in a solid day of work to give
Microsoft money. Am I out of line to think that, as a customer, they
should put in a day's work to GET my money? What success would a
business be if to pay your bill with them you had to wrestle
alligators and jump through flaming hoops just to hand them a check?

I think about our other console, the Wii. Internet access is free on
the Wii. It is integrated with Wi-Fi which is the way MOST people
access the Internet from devices in their homes. If you want to buy
stuff to play on the Wii from their store, you can buy points from the
console or Grandma can mail you a gift card. No subscriptions, no
adapters, no multi-layer accounts (Windows Live account -> XBox Live
Profile??) Nintendo does the work and you give them money. They made
it easy. Microsoft intentionally makes it harder than anyone else.
In the age of the App Store and Google Play Store, or even the Ubuntu
Software Center, users can buy and install programs very easily. Is
this usual XBox Live fiasco the way it will work with Windows 8? I
hope not!

Not that it matters, I'd love to throw the damn XBox into the sea
after this last set of issues. Check back with me in 2014, maybe they
will have fixed it by then? LOL!

Friday, June 22, 2012

Scan a network for Public and Private SNMP with Linux

This applies, in my case, to a Virtualbox VM running Backtrack 5r2. I
have a network I inherited. It has been a source of pain that few
could describe. Recent events had me curious, "How to I find out if I
have dumb SNMP configurations on my network?" Often devices come with
bad SNMP and other times people do dumb things, and sometimes there is
a calamitous combination of the two.

The tool of my choice to scan for public and private community strings
was Snmpwalk on Backtrack. I am sure there are other tools and it
might not be the perfect choice, thus my initial frustration at the
lack of documentation and my desire to create this post.

Snmpwalk is available for many linux distributions and offers a huge
array of capabilities. For a quick sample of snmpwalk commands you
can check Kioptrix (http://www.kioptrix.com/blog/?p=29). I went with
a very basic command as I was hoping to not get any results at all.
The command I went with was:

snmpwalk -c public -v1 targetIP

This worked great for a single IP address but I had a whole class c
network to scan. So it was time to use some bash to make this work.
I must confess I love Linux but have the most experience with Windows.
If you are like me then you might be interested in a way to scan a
whole network.

for i in {1..254}; do snmpwalk -c public -v1 192.168.10.$i >> snmp_scan_$i; done

This will scan all the IPs from 192.168.10.1 to 192.168.10.254 for
devices with SNMP configured with a community string of "public". You
can change this to scan for "private" or scan other IP ranges. I am
sure there is a better way to filter out the "No Response from .."
messages. But this worked for me and I wanted to give back to the
Internet.

If you found this at all helpful then please leave a comment!

Friday, April 13, 2012

Roll your own Software Installation GPOs

So, these days almost everyone has Active Directory (AD) implemented.
I even know a few people who run it at their homes (nothing I would
do). If you have AD and you are not using Group Policy Objects (GPOs)
to manage things then you are wasting your time. GPOs are the main
reason to put up with a Microsoft AD network. Since I am a designer,
who seems to have little time for design these days, I am no AD/GPO
guru but can cause some damage. I would like to pass along some of my
dangerous knowledge to you!

GPOs can do all kinds of things, but they are best at messing with the
registries of the computers on the domain. GPOs can also install
applications automatically on the domain computers. If you think that
process would be easy, you are sadly mistaken. The only way a GPO can
push out an application automatically is if the application is
packaged as an MSI. Some cool programs like 7-Zip and
Libre/OpenOffice have msi versions you can download and push out.
Other, cooler programs do not.

Here is how to make your own MSI files for pushing out applications
with software installation GPOs:

Requirements: 7-Zip, the 7-Zip 7z SFX Library
(http://www.7-zip.org/download.html), exe2msi
(http://www.qwertylab.com/), and Microsoft ORCA
(http://www.technipages.com/download-orca-msi-editor)

Step One: Understand the installation process of your program. You
want a silent install of the application. If there is an installation
wizard, you need to know how to script the install of the program. If
you can't do that then you are (mostly) SOL. In my example I want to
push out a program and schedule a task to run that program
periodically. To install the program I just need to copy a file to a
directory and then run SCHTASKS to schedule the task. I will use a
regular BAT file to script this process.

Step Two: Assemble the files. I usually make a directory that will
contain all the components I need to perform the installation. This
would be like setup.exe and any associated files. If you need to run
the installation program with command switches to make it run in a
scripted and silent way then you might want to call it from a BAT
file. The important thing to know at this point is what command is
needed to kick off the installation as it will need to be configured
in the self-extracting exe in the next step. Once all the files are
in the same directory, select them and right click to add them a 7z
file (scheduleProgram.7z in my case). The files for my program
consist of an exe file and the bat file used to make a directory, copy
the exe to the directory and the SCHTASKS string to schedule the task.

Step Three: Make the self-extracting exe file. Copy the new 7z file
containing the installation files and any scripts needed to perform
the silent install to a new folder containing the 7z SFX library
(7zS.sfx in my case). You will need to make a new text file called
config.txt and insert the following into it:

;!@Install@!UTF-8!
Title="Name Of Your Program"
RunProgram="install.bat"
;!@InstallEnd@!

You will need to edit the name of your program and change
"install.bat" to whatever is needed to install your program. In my
case it is install.bat as that creates a directory, copies the files I
need and then runs the SCHTASKS command. To automate the process a
bit, I usually make a bat file in this directory to run the command to
smush all these files together to make the self-extracting exe. You
can run the same command from a command prompt in the proper directory
or you can just make a "make.bat" in the folder with the following as
the contents:

copy /b 7zs.sfx + config.txt + scheduleProgram.7z scheduleProgram.exe

The "/b" is a binary copy and the "+"s combine the files together.
Copy copies the files and combines them into "scheduleProgram.exe".

This is a good time to test the new SFX executable, check the order of
the files in the copy command and the contents of the config.txt if
you have problems.

Step Four: After your SFX exe is tested and working it is time to turn
that into an MSI. There are many options out there, a free option is
the WIX (http://wix.sourceforge.net/) package. I am not familiar with
it and have had success with the free version of exe2msi. I am not
sure about the license or how the use of the free version is limited.
As the free version has problems from time to time, I assume the "pro"
version would have less issues to warrant the $299. Since the free
version is a decent product, if you have money in your budget and want
to support decent software consider buying the pro version.

Exe2msi is simple, run the exe2msi.exe program after installing it and
browse to the SFX Exe you created. Leave the arguments field blank
and just hit Build MSI. Once it is done then just close the exe2msi
application. Now the MSI is done and can be tested for installation.
If you can install the program as expected from the MSI you are ready
for the next step. If there are problems then double-check the SFX
Exe works properly and re-build the MSI.

Step Five: Test the MSI with ORCA. This will save a lot of time if
there are problems with the way the MSI was generated. Later, if you
notice the MSI fails to install via GPO but the Windows\temp folder on
the targeted computers is getting files like "MSI----.LOG" that look
like "1: 2905 2: C:\WINDOWS\sytem32\appmgmt\MACHINE..." then you need
to run ORCA.

When you run ORCA (which is an abandoned product from Microsoft to
exit MSI files and the databases they contain), you simply install
ORCA and right click any MSI file and hit "edit with ORCA". Once ORCA
opens the MSI file hit Tools, Validate. In the validation evaluation
file box leave it to read "Full MSI Validation Suite" and hit "Go".
When I was having problems I had the errors: "The
InstallExecuteSequence table does not contain the set of actions
(PublishFeatures, PublishProduct)" as well as "The PublishFeatures
action is required in the AdvtExecuteSequence table" and "The
PublishProduct action is required in the AdvtExecuteSequence table".
To fix those errors I added a row to the InstallExecuteSequence and
AdvtExecuteSequence tables for PublishFeatures (with a sequence of
"6300") and PublishProduct (with a sequence of "6400"). After any
required edits are done, save the MSI file.

Step Six: Make a share on the server to hold your installation files.
Share out the folder with permissions to "AUTHENTICATED USERS" and
"DOMAIN COMPUTERS" to have at least read and execute permissions on
the share and to the files themselves. The Software installation GPO
runs with the computer account and not the user account, those two
groups with read and execute permissions should allow the computer
account to run the installation MSI.

Step Seven: Open Group Policy Management and make a new GPO and link
it to the OU for the computers you wish to target. It is best to make
a test OU and move a machine you wish to test the GPO with into that
OU. In the Group Policy Object Editor, under the "Computer
Configuration", "software installation" area, hit New, package.
Browse through the network to the share you created in step five and
select the MSI you wish to install. Do not browse via the "my
computer" or any path that uses drive letters as the computer account
installing the MSI will not have access to those resources, only paths
that look like "\\computer\share\install.msi" will work. Make sure
the package with the MSI located in the proper path ("source" should
be like the noted path and not have any drive letters), make sure the
package is "assigned" and the GPO link is enabled to the OU where the
testing computer is placed in Active Directory.

Step Eight: Wait and reboot the computer or run GPUPDATE /FORCE on it
to force the GPO installation to start. Either one will make the
computer reboot, check the GPO and install the MSI as you configured.
If there is a problem and you need to re-test, you can later right
click on the package and hit "all tasks", "redeploy application" to
force it to be sent back out to the computers in the linked OUs.

If you have problems in step Seven where you can't edit the new GPO
because of some "path not found" error, right-click the new GPO and
hit "Back Up..." and back up the new GPO to some location on the
server. Then, right click the new GPO and hit "Restore from
Backup..." and restore the same GPO back. For some reason this was
necessary in my situation.

Software Installation by GPO is a typical Microsoft solution where the
promised benefit is almost outweighed by the efforts to implement what
should be a simple process. The lack of tools which should come with
Microsoft Windows Server make the situation almost impossible for the
casual network admin to implement GPO software installations.
Hopefully this can guide you though the process to actually implement
GPO software installations.

Popular Posts