Trip to China … what I learned, what to expect, what to do.

China was a wonderful trip and I’d definitely recommend it to anyone. I wasn’t introduced to much that was unexpected – at least not at the level at which people who I’ve talked to have overly exaggerated about. It could have been due to the protection of the tour guides or what people have told me to watch out for, but seems to me that Beijing and Shanghai are just regular cities, differing very little from San Francisco. Well, they’re unique in their own ways, but the “culture shock” that people have talked about, isn’t really didn’t hit me. Well, this is the list of the expected:

  1. Don’t drink tap water
  2. Toilets could be just a hole in the ground with a lid. (Squatting toilets)
  3. Some toilets don’t have toilet paper – bring your own.
  4. Traffic is pretty crazy – rules are different.
    That’s about it. I think the rest is pretty much the same.

So what was unexpected? If you go on a tour, it’s likely that the service you get anywhere you go, is much better than that in the United States. Of course you pay for what you get, but I assure you that service in China is among the best in the world – maybe not the way they speak, but the way they act for sure. There were times where I felt disrespected, but those are only because I had based them on American values. Pushing and shoving, spitting on the sidewalk (I do it too by the way), and much of the way people say things in China can be offensive to Americans. I’m a firm believer that actions speak louder than words and that it’s just the way you see things. You choose your point of view and will be offended only when you choose to. It’s just a different culture. I bought an apple pear for 2.5 Yuan. For the 2.5 Yuan, the lady peeled it for me. In the States, I don’t ever see this happening. 2.5 Yuan is currently about $0.30 USD. You can’t buy an apple pear for $0.30 and it’s not likely that you can buy one peeled for you and ready to eat, for $3.00. When buying a belt in a store in Guangzhou, I talked to the salesperson for twenty minutes before deciding on the belt I wanted and even after that, I had him agree to adjust the belt size for me. Total cost for the belt was 29 Yuan. In American dollars, it’s less than $4.00. Another thing is that I haven’t heard very many “thanks” after purchases. I think it’s just another example of the Chinese “show me, don’t tell me” culture.

What did I learn? Well, I was told a lot (kind of like lecture in class). What did I learn due to my own curiosity? I learned that little kids instead of using diapers, have pants with holes in them – the just change pants. I learned that some people here are not nearly as fortunate as we are in the States. Well, I already knew that, but had a massage today and talking to the lovely young lady that gave it to me, I learned that she had just a high school education (maybe just junior high) and that she had no chance to go to college because she had two other sisters that she had to take care of in one way or another that wasn’t clear to me. Sounded very sad and I was thinking about what I could do to help her and give her some opportunity. Unfortunately, I was too shy to ask questions that might be too personal and was afraid to take responsibility for any promises I could make. I just left her a bigger than recommended tip. Her job is very hard although she doesn’t have to do it much. It’s usage of a lot of energy and is very damaging on her fingers.

Some advice for those that will be visiting China:

  1. Try squatting on a western style toilet seat (just put your feet up on the seat and try using the toilet that way and get the experience).
  2. Bring your own water, buy bottled water, or boil before drinking – never drink tap water.
  3. Bring your vitamins. Bring your medicine. Bring stomach medicine. Bring mouthwash.
  4. Always have extra toilet paper or tissues.
  5. Check the foreign exchange rate before exchanging currencies. Do not exchange it with people from the street (don’t want counterfeit money) – be sure to do it in a hotel or a bank or just withdraw money from an ATM.
  6. Don’t give money to beggars. The people in the country that work hard deserve more for working. Also, if you give to beggars, you might see a swarm of them come after you after you give to one.
  7. You don’t have to tip in most cases – if you follow a tour, it’s likely that the tip was already included in your meal. You may want to ask your guide before tipping. I like tipping though. In the States, you’d pay a lot more in tips. I think that people in China deserve a lot more also. By their standards, I over tip them by a lot.
  8. Always bargain when purchasing any goods on the street. Also, there are many little stands that sell the same stuff. It might be good to do comparison-shopping. Here’s my template for bargaining:
    a. Buyer: How much?
    b. Seller: Some number
    c. Buyer: (No matter how reasonable) That much!?
    d. Seller: Yes.
    e. Buyer: I want cheaper.
    f. Seller: How much are you willing to pay?
    g. Buyer: How much lower can you go?
    h. And from here, you decide on how you can play. You may want to ask for quantity discounts, etc. As a rule of thumb, I would shoot for 1/4 to 3/4 the amount originally stated. Use your common sense of course. If you’d shopped around and someone offers something to you for less than you’d paid before, it’s not likely you’d get a discount. Also, if it’s a really cheap item like a bottle of water for 3 Yuan, it’s not likely you’ll get a discount either.
  9. Buy stuff away from the tourist areas and places where the locals shop also. You’ll get a better deal that way.
  10. Don’t buy too much if you will be flying in China domestically. There’s a fee for going over a certain weight limit when carrying cargo. Buy most of what you want at your last stop in China.
  11. Bring your 240-110 volt converter if you have one. If not, make sure that the one you borrow from the hotel is a real converter – it should be heavy. You don’t want to blow out any of your devices.
  12. Bring extra batteries and a camera with a flash. 400mm film or a digital camera was recommended to me. Bring a camcorder if you have one.
  13. Don’t bring too much clothing. One or two sets of warm clothing should suffice. (So that you have a smaller load to carry). You could buy more warm clothing on the street should you need it. It’s much cheaper to buy in China than anywhere in the States.
  14. Try to learn as much Mandarin as you can. That’s China’s national language.
  15. Work out and get in shape. Walking the Great Wall and up the mountains in Guilin is quite exhausting.
  16. Buy foot massages whenever you can. You probably won’t get them anywhere else in the world for a similar price. It’s well worth it. (Also remember to tip)

I think that the best way to learn is this. Teach your children their history and let them take a tour of the place of where it happened. Of course, you’ll have to have a good tour guide that knows the history. We were immensely blessed with having accomplished tour guides that were courteous and easy to understand.

We had a wonderful tour guide by the name of Lisa Lee. We had initially met on bad terms however. At the time we arrived at the airport, there was no one there to pick us up! There were 18 of us in the group and it turned out that we had waited 3 hours before anyone had arrived to greet us! What the heck did we do for the 3 hours? Not surprisingly, the first stage was obviously shock. Interestingly (and luckily), we’d all found each other (the rest of the group of tourists). Then again, we would’ve all found each other anyways because until the next plane arrived, we were practically the only ones in the airport! Some of us wondered if we’d been had – if this tour was really just a scam. I don’t think any of us had ever bothered to check with any of the hotels to see if reservations had ever really been made. The next thing we did was try contacting them. Funny thing was, their phone number was changed and that they were no longer at that number. To keep the story short, we probably didn’t know until an hour and a half later whether or not someone was really coming (or not!). A lot of things were going through our minds as we waited. Whether we should take a taxi to the hotel and whether or not the touring company would pay for the ride, what we were going to do if they didn’t show up – there’s a lot that goes through just one person’s mind when puzzled; just imagine 18 minds. Meeting Lisa was an immediate relief. Her enthusiasm and friendliness easily overcame all barriers that I may have put up and she had instantly left me a good impression. The following days had only strengthened this notion, as I was extremely impressed with her knowledge of Beijing. She explained a lot of the tour sites and the events that occurred there. With over 5000 years of Chinese history and over 3000 years of written Chinese history, you can imagine there’s quite a lot to talk about. I think that my lack of vocabulary really limits the amount of good things I can say about her. She really took care of us as to talking about how China differs from more developed countries. She also brought us to the more developed areas. For instance, she told us which restrooms to use – showing us where the cleaner ones were. She protected us from the locals – not to say that the locals are bad, but she made us aware of what could happen. She told us to watch our purses and wallets at least twice before entering WongFuJing. She told us to avoid any political talk before entering the Forbidden City. Furthermore, her mastery of the English language was also impressive. I did not expect anyone to speak English at her level.

In the 2 days, we’ve visited the monumental sites of Beijing and have the pictures to prove it. First was the Temple of Heaven. This is the main site for Beijing tourism – being there, you could really imagine and admire and appreciate the work. Buildings erected at times where there were no bulldozers even cars for that matter. The main building in the temple of heaven is a pagoda with 3 roofs and was built without nails or cement. Our tour guide explained how it was built – having the many different pillars and the way it was supported. Unfortunately, like many of the different magnificent treasures of China, the lights were not on in the building. Not that it’s a big deal, but my guess is they didn’t want tourists to mess the place up. Wonder what would happen if the tourists decided to step over the line. If they just decided to walk on in. They were blocked off by nothing but one thick wire. Anybody can easily go over or under. For that matter, I would think the same as on a plane – one that I will be on in a couple of hours – what would happen. It’s quite a sick thought.

Tiananmen Square. After a long walk and a tour around the outside of the Forbidden City, the first sight of the inside was breathtaking to say the least. Seeing it on television or in print is one thing, but being there, I can tell you, it’s different. The size and complexity of it requires a map to navigate (unless it’s familiar territory – luckily for us, we had a guide) .The king must’ve had a really great life – the servants, the view, the perks! You can really admire the piece of art. If you look, you won’t think there are windows in the buildings. As a matter of fact, there are no transparent glass or plastic windows. So how do the buildings get oxygen? You can see the windows in the little designed cuts in the walls. Also, if you have the good fortune of touring on a rainy day, you could see water coming out of the dragons’ mouths. It wasn’t a sight that I’d witnessed first hand, but it’s quite a concept. The reason for design is in event of a fire. Since the dragons’ mouths could hit practically every part of the landmark, if there ever is a fire, firefighting would be a relatively easy task. It’s no wonder that they could make such a landmark with so much wood. By the way, this was all built just less than a century before Columbus sailed the Ocean Blue in 1492! I think the documented date is 1430.

The Great Wall – the pride of China. While taking pictures on the bus, another tourist said to me, “Why? You have plenty of places to take pictures – look at how long the wall is!”

The rest of Beijing was pretty simple compared to the first two sites. We had remarkable lunch at what used to be Yuan May Yuan – it was at a very pretty place with awesome service. The Summer Palace. A Tea House. A massage. Dinner. Watched an Acrobat show. Ming Tombs. Peking Roast Duck. WongFuJing

The three key areas for me in this trip was Beijing for man-made sights, Guilin for natural sights, and Guangzhou for food. The rest was icing on the cake. It’s really difficult to be impressed by anything after seeing the Great Wall and Tiananmen Square. Not to say that I wouldn’t have loved to live along the lake in Suchou or have tea in the gardens, but I think that just walking through the Forbidden City is a magical experience in itself. If you think about it, it’d be extremely difficult to build the Great Wall even today with all the great technology we have, let alone centuries ago.

WordPress is under attack! Watch it! Password Protect it!

What? What do you mean? There’s already a password. Yes, you need to log in when you want to put up a new blog post or do maintenance of some sort. However, that doesn’t mean that you can’t have an additional layer of protection. Not only can you have it, WordPress actually recommends it here: https://codex.wordpress.org/Brute_Force_Attacks

I looked in my nginx access log and I saw a bunch of messages that looked like this:

95.219.148.136 - - [16/Nov/2017:06:34:33 -0800] "GET /wp-login.php HTTP/1.1" 402 195 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
95.219.148.136 - - [16/Nov/2017:06:34:34 -0800] "GET / HTTP/1.1" 200 21587 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
202.152.71.21 - - [16/Nov/2017:06:40:48 -0800] "GET /wp-login.php HTTP/1.1" 402 195 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
202.152.71.21 - - [16/Nov/2017:06:40:49 -0800] "GET / HTTP/1.1" 200 21589 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
177.221.4.36 - - [16/Nov/2017:06:55:42 -0800] "GET /wp-login.php HTTP/1.1" 402 195 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"
177.221.4.36 - - [16/Nov/2017:06:55:42 -0800] "GET / HTTP/1.1" 200 21589 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1"

After doing some investigation, it appeard to be the sathurbot attacking my blogsite. It’s some sort of distributed piece of malware that attacks poorly maintained or blogs with weak passwords. The malware tries to attack the wp-login and something else. You can read more about it here: https://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/.

The first thing I did to counter this issue was configure Cloudflare to under attack mode. This gives the client a short delay when connecting to your site so that can’t get to the file. This should stop the entries in the log completely, immediately. Since I don’t want users to see the delay all of the time, I decided after the attacks slowed to have nginx password protect the file so that when trying to request it, nginx will ask for a password as well. This way, you’ll need to authenticate twice to get into WordPress, but it’s okay. The extra trouble gives me peace of mind that I’ll less likely be attacked.

With nginx, I did it this way:

location ^~ /wp-login.php {
 auth_basic "Administrator Login";
 auth_basic_user_file /etc/nginx/conf.d/.htpasswd;
 include fastcgi.conf;
 fastcgi_intercept_errors on;
 fastcgi_pass php-wphandler;
 fastcgi_buffers 16 16k;
 fastcgi_buffer_size 32k;
}

The .htpasswd is a hashed file. You can create it with the htpasswd command that comes with the apache2-utils package. The file would look something like this:

alton:$@AFSADF$SDFapr1$yDoxiXVW$aFe

Now in my logs, I get 401 messages instead of 402 messages.

172.68.242.50 - - [29/Nov/2017:09:36:50 -0800] "GET /wp-login.php HTTP/1.1" 401 195 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" "134.196.23.66"
172.68.246.96 - - [29/Nov/2017:09:45:48 -0800] "GET /wp-login.php HTTP/1.1" 401 195 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" "193.93.187.11"
162.158.91.51 - - [29/Nov/2017:09:49:22 -0800] "GET /wp-login.php HTTP/1.1" 401 195 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" "93.172.55.76"
141.101.77.120 - - [29/Nov/2017:10:08:03 -0800] "GET /wp-login.php HTTP/1.1" 401 195 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.1" "41.100.125.248"

I also know that they’re less likely to hack my site. 🙂

Happy blogging!

Remember to upgrade Virtualbox Guest Additions when you upgrade Virtualbox!

If you’re wondering why you might not be getting access to your shared folders in your guest OS after upgrading Virtualbox, this could be the reason. Virtualbox Guest Additionals (like VMware tools for Virtualbox) might need to be upgraded as well.

You can expect a system error 53, network path not found if the Guest Additions is not installed. When in the UI, it will say something like this: “Windows cannot access \\vboxsvr error code: 0x80070035 The network path was not found.”

Hope this help!

Dropbox, OwnCloud? OneDrive? Which one? or all of them?

 Drew Houston did the world a favor when found USB sticks becoming inconvenient and founding Dropbox in 2007. Everybody I knew that started using it loved it, especially for collaboration on projects. Another use case that I loved it for was backup. I use it now so that I have a copy of my data elsewhere in case my laptop or whatever I’m using blows up. After seeing Dropbox gaining tracking, many other companies followed suit, including Google Drive, Microsoft, and Box. The ones I use are Dropbox, Microsoft OneDrive because it comes with my Office 365 account with work, and OwnCloud.What’s OwnCloud? It’s an open source version. It’s one that allows you to keep all of your data in the datacenter or wherever you choose to host it, instead of on someone else’s cloud. It could even be on-premise.

Do you need to choose between the different vendors? Well, there is a way to use them or at least some of them simultaneously. The way I do it is have OwnCloud synced with my Documents folder. All of my work that I want to save is always written there. Inside of the Documents folder, I’ll have one folder for Dropbox and another for OneDrive. This way, OwnCloud backs up everything I have in both, Dropbox and OneDrive. I then keep everything that’s personal in Dropbox and everything that I want to share at work on OneDrive.

Hope this helps someone out there! 🙂

 

Caveats of using a privacy screen

I love my privacy screen on my laptop. I can work with a little more security, thinking that as like it’s less likely that someone is watching what I’m doing. That said, and there are some trade-offs. One of them is if you want to collaborate with someone, it’s harder for them to see your screen. You’ll need to be sitting directly in front of the screen, so both people will need to be sitting pretty close to each other. On a phone, The same issues apply. Except often, people like to make videos or take photos and if you’re taking photos away or example if you have to raise your arm up and try to snap a photo of something down like if you’re at a ball game or if you want to take a selfie, it will be more difficult. It’s more likely that you won’t even see yourself or see what you’re filming or taking a photo of. On top of this, other issues including when you if you’re watching high definition movies, you lose a little bit of picture. It does not look as good as if you were watching without the privacy filter. And also, you will need to adjust the brightness of your screen. On the phone, this causes another big problem.The battery does not last as long and the phone gets hot very quickly. All that said, I still prefer my privacy and I will continue to use my privacy screens on both my laptop and my phone. I just need to remove it when working with others or if I’m in the sun or driving.

Using vim-cmd to remedy a bsod

Here’s a great tutorial for vim-cmd if you haven’t had experience with it before by my friend, Steve Jinwww.doublecloud.org/2013/11/vmware-esxi-vim-cmd-command-a-quick-tutorial/

This is a real-world situation I got myself into when I tried connecting to my client VM and found a BSOD that looked like this:

It’s pretty obvious that the reason for the crash is the USB stick that’s plugged in from the usbuhci.sys line in the blue screen. Since I tunnel into my client VM via SSH and VNC, the easiest way for me to shutdown my VM and remedy this issue is through vim-cmd. This only works if you have SSH allowed onto your ESXi host or if you are connecting to the host with the VMware CLI or vMA or whatever they’re calling it these days. I have the former.

The first thing I do after logging into the ESXi host as root is run:

vim-cmd vmsvc/getallvms

I need to know which one of my VMs is the one to manage. I get this:

Vmid Name File Guest OS Version Annotation
1 windows7 [BIG_DISK] windows7/windows7.vmx windows7_64Guest vmx-07
3 thimble [BIG_DISK] thimble/thimble.vmx ubuntu64Guest vmx-08
4 chunli [Datastore 2] chunli2/chunli2.vmx ubuntu64Guest vmx-08
5 zangief [Datastore 2] zangief2/zangief2.vmx ubuntu64Guest vmx-11

With this information, I know that it’s VM 1, so I power it off by running:

vim-cmd vmsvc/power.off 1

Thinking the USB issue might be a fluke, I try to power the VM back on to see if it will boot.

vim-cmd vmsvc/power.on 1

I see that it starts booting, but as the resolution changes on the VM, my VNC viewer freezes. Since I normally don’t know exactly when it freezes, I didn’t know when I got the BSOD again.

Until I decided to at look at the vmware.log file. This is what I saw there:

2017-10-18T22:27:05.519Z| svga| I125: SVGA disabling SVGA
2017-10-18T22:27:05.545Z| svga| W115: WinBSOD: (20) 'Technical information: '
2017-10-18T22:27:05.545Z| svga| W115:
2017-10-18T22:27:05.546Z| svga| W115: WinBSOD: (22) '*** STOP: 0x000000D1 (0xFFFFF88000BF2000,0x0000000000000002,0x0000000000000001,0'
2017-10-18T22:27:05.546Z| svga| W115:
2017-10-18T22:27:05.546Z| svga| W115: WinBSOD: (23) 'xFFFFF88004206E49) '
2017-10-18T22:27:05.546Z| svga| W115:
2017-10-18T22:27:05.557Z| svga| W115: WinBSOD: (26) '*** usbuhci.sys - Address FFFFF88004206E49 base at FFFFF88004200000, DateStamp'
2017-10-18T22:27:05.557Z| svga| W115:
2017-10-18T22:27:05.557Z| svga| W115: WinBSOD: (27) ' 57b37a29 '
2017-10-18T22:27:05.557Z| svga| W115:
2017-10-18T22:27:05.557Z| svga| W115: WinBSOD: (30) 'Collecting data for crash dump ... '
2017-10-18T22:27:05.557Z| svga| W115:
2017-10-18T22:27:05.573Z| svga| W115: WinBSOD: (31) 'Initializing disk for crash dump ... '
2017-10-18T22:27:05.573Z| svga| W115:
2017-10-18T22:27:07.547Z| mks| W115: Guest operating system crash detected.

Okay, so I see that my hunch is correct. I guess it’s time I remove the USB device from the VM. So I power off the VM again and open up the vmx file and just start removing all instances of USB.

These are the lines I removed. Don’t worry about breaking anything. The hypervisor will put them back if you need them later. Back up your vmx file before doing it though just in case.

usb.pciSlotNumber = "34"
usb.present = "TRUE"
usb:1.speed = "2"
usb:1.present = "TRUE"
usb:1.deviceType = "hub"
usb:1.port = "1"
usb:1.parent = "-1"
usb.autoConnect.device0 = "path:1/1 autoclean:1"
usb:0.present = "TRUE"
usb:0.deviceType = "mouse"
usb:0.port = "0"
usb:0.parent = "-1"

After you’ve saved your changes, you’ll need to reload the changes so that ESXi will reread the .vmx file to remove the USB device. You can do this by running this command:

vim-cmd vmsvc/reload 1

Now you’re ready to power on the VM.

vim-cmd vmsvc/power.on 1

The VM powers up and I’m back in business. I just had to figure out the USB issue later. Turned out that I just needed to reconnect the device and reformat it. I haven’t seen the issue come up again.

 

Red Hat Enterprise Linux 7.3 is broken!

At least kernel-3.10.0-514.26.2.el7.x86_64.rpm is broken. With it, you will not be able to use a stack size lower than ~4.5MB.

Here’s some reading on why your applications would want to do this: https://www.systemcodegeeks.com/shell-scripting/bash/using-rlimit-and-why-you-should/

Here’s an excerpt:

Why do we care?

Security in depth.

First, people make mistakes. Setting reasonable limits keeps a runaway process from taking down the system.

Second, attackers will take advantage of any opportunity they can find. A buffer overflow isn’t an abstract concern – they are real and often allow an attacker to execute arbitrary code. Reasonable limits may be enough to sharply curtail the damage caused by an exploit.

Here are some concrete examples:

First, setting RLIMIT_NPROC to zero means that the process cannot fork/exec a new process – an attacker cannot execute arbitrary code as the current user. (Note: the man pages suggests this may limit the total number of processes for the user, not just in this process and its children. This should be double-checked.) It also prevents a more subtle attack where a process is repeatedly forked until a desired PID is acquired. PIDs should be unique but apparently some kernels now support a larger PID space than the traditional pid_t. That means legacy system calls may be ambiguous.

Second, setting RLIMIT_ASRLIMIT_DATA, and RLIMIT_MEMLOCK to reasonable values prevents a process from forcing the system to thrash by limiting available memory.

Third, setting RLIMIT_CORE to a reasonable value (or disabling core dumps entirely) has historically been used to prevent denial of service attacks by filling the disk with core dumps. Today core dumps are often disabled to ensure sensitive information such as encryption keys are not inadvertently written to disk where an attacker can later retrieve them. Sensitive information should also be memlock()ed to prevent it from being written to the swap disk.

You can try running the following commands:

ulimit -s 4096
/bin/true

and see this output:

-bash: /bin/true: Argument list too long

Really!? Find more at Red Hat Bug 1463241 – rlimit_stack problems after update.

If you’re using this kernel, I suggest you upgrade immediately. Your applications that might be written with these limits set wil fail.

 

Automated backup of AWS route53 zones

cli53! It’s the coolest tool you can use for Amazon DNS route53! This is the posting I had tried to follow for backing up my zone files.

https://sysinfo.io/automated-backup-aws-route-53-record-sets/

I suspect that AWS changed the output of this command, so it no longer works. Here’s one that does:

cli53 list | awk '{print $2}' | grep -v Name | while read line; do cli53 export ${line} > ~/backup/${line}bk; done

With this command, it will grab all of the domains and back up each of the zone files.

Spinning up a bunch of virtual desktops in Amazon WorkSpaces (videos)

This was a pretty fun project that I had gotten so I figured I would share the experience. There are multiple use cases for virtual desktops. In our case, it’s ephemeral – only need them for a few days for a class so that all students can share the same experience without the need for anything but a web browser. They can probably get a better experience with the PCoIP client, but it could be against some company policies. Most companies will allow HTTPs out, so we figured this would be the easiest way.

The way Amazon WorkSpaces works is that each desktop is assigned to a single user and the users sit in the directory service. The service I’m using is the Simple AD (Samba 4) as I had no need for a huge directory. To create the users, we will just need a UID (sAMAccountName in AD) and a password if using the API to create the desktops. If using the Amazon portal to create the desktops, you’ll need the first and last name and an email address as well. You can easily import a CSV file with this information, but for the sake of simplicity, I just use a generic account name and numbers.

After creating the directory and starting up a single desktop, I went to the “Programs” in the Control Panel and “Turn Windows Features on and off” and “Features” to install the “AD DS and AD LDS Tools”. More information on the RSAT tools is available here: https://wiki.samba.org/index.php/Installing_RSAT 

Here’s a short video on how to do it:

Once the RSAT tools are installed, the “dsadd” command will be available to add users. This is the script I’m using that asks for the users and then creates the users:

echo off
set /p users=Number of users to create:
echo "Creating %users% students"
set count=0
:createusers
    set /a count+=1
    echo creating student%count%
    dsadd user "cn=student%count%,cn=users,dc=corp,dc=amazonworkspaces,dc=com" -samid student%count% -pwd Student%count%
    if "%count%"=="%users%" goto done
    goto createusers
:done

The script will create users with the username student# with passwords Student# – the capital “S” is just for password complexity.

After creating the users, we can go and create the desktops. To do this, I used awscli. On a Mac or Linux system, it can be easily installed running “easy_install awscli”. After installation, there will be a config and credentials file that should be configured in the .aws directory in your home directory. Once that’s set, you can check to see what workspaces you have by running “aws workspaces describe-workspaces” – that gives you an idea of what your workspaces look like. The minimal template I’m using for workspaces looks like this:

{
 "Workspaces" : [
 {
   "DirectoryId" : "d-9267258c77",
   "UserName" : "%username%",
   "WorkspaceProperties": {
   "RunningMode": "AUTO_STOP"
 },
   "BundleId" : "wsb-gw81fmq2p"
 }
 ]
}

The DirectoryId is the directory service where the users are housed, I’ll be replacing the %username% with student#, and I added RunningMode just to save on costs – they’ll automatically suspend after an hour of idling. It takes about 90s to spin back up if they suspend. The BundleId is the VM that you want to provision. This one is the customized one for our classroom.

With the template in place, we’re ready to run the script:

#!/bin/bash

echo "Number of Desktops to Create [20?]"
read desktops
echo $desktops
COUNTER=0
         while [  $COUNTER -lt $desktops ]; do
             let COUNTER=COUNTER+1
             echo Creating Desktop number $COUNTER
        sed "s/%username%/student$COUNTER/g" create-workspaces.json > /tmp/student$COUNTER.json
        aws workspaces create-workspaces --cli-input-json file:///tmp/student$COUNTER.json
         done
echo Created $desktops Desktops.

You can remove the temporary files in /tmp afterwards.

Here’s a short video of the scripts in action.

Have fun with your desktops!

AIX notes … ipfilter, unzip, zlib, openssh, openssl

I had the privilege of experiencing AIX for the very first time this week. Hopefully this can save someone else time.

Some packages that aren’t installed by default that you might want include openssl, openssh, unzip, zlib, and IPFilter.

I would probably start with openssl/openssh. In AIX 7.2, you can do it in the OS installer. To do it outside of the installer, keep the installation cd in and run the following commands:

mount -V cdrfs -o ro /dev/cd0 /mnt
cd /mnt/usr/sys/inst.images/
installp -ac -Y -d . openssh.base openssl.base openssl.man.en_US openssh.man.en_US
lssrc -s sshd
umount /mnt

The default partitions aren’t big enough! Fortunately, it’s very easy to extend the partitions. You can do so with the following commands:

chfs -a size=+4G /opt
chfs -a size=+4G /var
chfs -a size=+4G /home
chfs -a size=+4G /usr
chfs -a size=+2G /tmp
chfs -a size=+4G /admin

Installing 3rd party software:

You can download unzip from:  https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/unzip/unzip-6.0-3.aix6.1.ppc.rpm. You can install it with “rpm -i” just like in Linux. Another open for unzipping files without unzip is using jar. You can run “jar -xvf” on a file and it can unzip it as well.

If you need the zlib library, you can get it from:  https://public.dhe.ibm.com/aix/freeSoftware/aixtoolbox/RPMS/ppc/zlib/zlib-1.2.11-1.aix6.1.ppc.rpm.

You can install IPFilter from https://www-01.ibm.com/marketing/iwm/iwm/web/reg/pick.do?source=aixbp. It will require a login, but not a serial number. Just create a login and download. Installing IPFilter is a little different. It installs like an AIX package, with installp. Unzip the contents of the IPFilter_Fileset.zip and go into the IPFilter_Fileset directory and run the following commands:

inutoc .
installp -ac -gXY -d. ipfl