Hi everyone,

As you may have noticed, I’m a pretty big proponent of FreeBSD. Lately, I’ve been interested in building a laptop that is light, has long battery life, can do basic email checking/web site browsing/remote server admin over SSH/etc. A bonus would be if I could run FreeBSD in a VMware VM and work on my ports if I’m stuck on a long plane ride.

Wait a minute – forget the VM! I’ll just run DesktopBSD directly on the laptop and have everything I need:

• Email – check (Thunderbird)
• Web browsing – check (FF, natch)
• SSH – check
• Full /usr/ports tree – check!

I’ve got version 1.6 loaded up on my venerable IBM Thinkpad 600x that had been mothballed for a couple of years, and after replacing the CMOS battery (go away nasty POST 161/163 errors!), and replacing the first-gen wireless PCMCIA card with a Linksys WPC54G, things are humming along nicely.

I did have to wrestle with the drivers for the Linksys card, guided largely by a helpful post on TaoSecurity, but eventually I got it working.

I’m currently in building the OpenOffice 2.x port so I can really get things done remotely, but it has been compiling for 2+ days now (!), and there’s no indication when it will finish!

I’ll post more about DesktopBSD as I get further into it.

Keep in touch,
Greg
SourceHosting.net, LLC

Hi everyone,

Since FreeBSD 7.0 was recently released, I figured it’s a good time to put a VMware image together and have a look. Probably one of the most interesting new enhancements is the addition of the ZFS filesystem. I can’t wait to try that out, and it should make managing disk space a lot easier in the context of the SourceHosting.net service.

You can find the zipped image on the SourceHosting.net BitTorrent tracker. Some notes about the image:

• The VM has been configured with 768Mb of memory. You can reduce it to 512Mb, but the ZFS documentation says “Me want more memory!“
• The root password is “password”
• ZFS is enabled by default
• The /usr/ports filesystem is located in a ZFS pool
• The Ethernet interface is bridged to the host and uses DHCP

I tested this VM in VMware Server and VMware Player, and it seems to work fine. If you have any questions or problems, feel free to post comments here.

Keep in touch,
Greg
SourceHosting.net, LLC

Hi everyone,

I was recently reminded of a problem I ran into when I first set up the SourceHosting.net service on VMware Server. The VMware technology has the concept of virtual networks, including a host-only network. The host-only network enables several VMs on the same host to communicate on their own private Ethernet switch. This is a great way to simulate a real-world, production environment.

However, what if you want resources on the host-only network, such as private servers without routable public IP addresses, to be able to make outbound connections to the outside world? That’s where it gets a bit tricky! The SourceHosting.net service assigns a FreeBSD jail to each client, and these servers each have an IP address on the host-only network. They need to make connections to the public Internet, so after some digging around, I found a solution.

The first thing to do is assign a host-only network gateway address to your VMware Server host. In my case, the host-only network is addressed as 172.16.80.0/255.255.240.0. The physical server’s gateway address is therefore 172.16.80.1.

Each VM has 2 NICs defined, one with a routable Internet address and one with a host-only address, perhaps 172.16.80.2. A FreeBSD jail running inside a VM will have a host-only IP address aliased to the 2nd NIC, such as 172.16.80.55. Somehow, a packet originating in the jail must pass out through the VM, then the physical host to the destination and back again.

The FreeBSD VM can easily send its packets out to the host-only address on the physical host by using this directive in its /etc/rc.conf file:

Since the jail IP addresses are aliased to the host-only NIC in the VM, packets originating from a jail will also use 172.16.80.1 as their default router.

At the physical host level, in order for packets to pass from its host-only interface to its external interface, it must be configured as a router. That’s done by adding the following directive to the /etc/sysctl.conf file (on RHEL 4 and other flavors of Linux):

So far, so good. Now here’s where the craziness, errr magic, happens! The following firewall script is added to /etc/rc.local:

The most important bit of this script is the last line. The rest of it defines some variables and cleans up the firewall rules to a known state. Since a hardware firewall is doing all of the heavy lifting in front of this server, the iptables software firewall is going to serve simply as a source address packet mangler. Hmm, “packet mangling” – that sounds nasty! But it’s actually a good thing here, because it ensures that packets get from point A to B and back again.

We also need to look at the routing table to figure out how source address mangling will change how the packet behaves:

Normally, if a packet originates from the vmnet1 interface (VMware host-only network) with a source address of 172.16.80.55 and bound for www.google.com (74.125.47.103), it will be handled by the default route and sent out the eth0 interface. That’s all well and good, but when Google tries to reply, a router somewhere along the way sees a source address of 172.16.80.55 and drops the packet.

Enter POSTROUTING and SNAT! Here is the expanded iptables command from our script above:

Ok, let’s break it down:

1. Add a rule to the nat table (“-t nat”)
2. Append the rule to the POSTROUTING chain (“-A POSTROUTING”) – i.e. apply rule after deciding which route will handle the packet
3. Process the packet when its source address originates on the host-only network (“-s 172.16.80.0/20”) and it’s bound for the eth0 interface (“-o eth0”) – normally a bad thing!
4. Jump to the SNAT target for source address modification (“-j SNAT”)
5. Change the source address to AAA.BBB.CCC.11 and send the packet on its merry way (“--to AAA.BBB.CCC.11”)

This means that when the packet reaches the Google server, it contains the valid source address of AAA.BBB.CCC.11 that maps to our VMware Server host. Reply packets flow back to the host, and then iptables remaps the destination address from AAA.BBB.CCC.11 to the proper host-only network originating address, according to the stored connection information.

Iptables is an incredibly flexible tool that performs many useful packet modification tasks, as well as firewall functions. If you have any favorites uses for it, feel free to post comments and feedback!

Keep in touch,
Greg
SourceHosting.net, LLC

Hi everyone,

I’ve got FreeBSD 7.0 downloaded and running as a VMware Server virtual machine so I can start checking it out and get a feel for how it works. Once ZFS is deemed stable for production, I’ll plan to migrate to the 7.x series.

The first thing I generally do after setting up a new VM is install VMware Tools. Wait – scratch that. The first thing I have to do before installing VMware Tools is install Perl, since it’s not part of the FreeBSD base system. That’s easy enough:

Ok, on to the VMware Tools installer! After starting the vmware-install.pl script, I answered a bunch of questions (used all default responses), and finally was met with this somewhat odd message:

Wait a minute – I’m pretty sure I’m installing in a virtual machine here! Initially, I pored through the installation Perl script and discovered that it executes vmware-checkvm to determine if it’s running inside a VM or not. Ok, let’s try that by hand:

That’s a problem! vmware-checkvm is a statically-linked binary, and to get it working, the FreeBSD compat6x port needs to be installed. The compat6x port installs a variety of libraries that were found in FreeBSD 6.x but have had their versions bumped for FreeBSD 7.0.

Hmm, still no joy after doing that – vmware-checkvm is still core dumping. After more Googling and nosing about in the VMware Tools installation script, I learned that VMware expects the libc.so.6 library installed by compat6x to be in /lib. However, all compat{3,4,5,6}x ports install their libraries in /usr/local/lib/compat to avoid messing with the base system.

A simple symbolic link gets libc.so.6 in place for VMware:

ln -s /usr/local/lib/compat/libc.so.6 /lib

And now success, right? Wrong!

I’m not logged in over the network, so why am I getting this message? It turns out that tcsh (root shell in FreeBSD) is setting the REMOTEHOST environment variable, even though I’m logged in at the VM’s console.

The solution is a simple command:

Start up the VMware Tool installer one more time, and now it works!

Maybe the newest version of VMware Server supports FreeBSD 7.0 natively, so I’ll have to test that out soon. Details will be posted here when I do!

Keep in touch,
Greg
SourceHosting.net, LLC

Hi everyone,

A while back, I hooked up my CodeIgniter sample application to a MySQL database. That was easy, and now I’ll show how to move your presentation code into separate view files, instead of echo’ing HTML from inside a controller file.

According to the CodeIgniter manual, views are stored in the /views (hmm, that makes sense!) directory of your application, and they can be divided up across functional areas with subdirectories. Since it’s possible to create page snippets and load them in sequence, you might have a directory structure like this:

/views
  /global
    /layout
      /header.php
      /footer.php
  /navigation
      /left_side.php
      /bottom_links.php
  /user
    /add.php
    /edit.php
    /delete.php
    ...
  /group
    /add.php
    /edit.php
    /delete.php
    ...
  /...
  /...

Then when you want to render a particular page, say the “add user” page of your web app’s administrative interface, the code would look like this:

I haven’t gotten that complex yet, but I did move the code to display my user count into a view and set the value in the controller like so:

The file /views/user/showcount.php is pretty simple:

Ok, this all seems to be pretty easy. Of course, there’s a bunch more functionality in the CodeIgniter framework, but I think what I’ll do for my next post is shift gears and go through the same basic exercises using CakePHP, Prado, and the Zend Framework.

It will be interesting to see if there’s any similarity to the way the classic “Hello, world.” program varies in complexity based on implementation language!

Keep in touch,
Greg
SourceHosting.net, LLC

Hi everyone,

I’ve submitted some new FreeBSD port upgrades over the past week, including new support for CodeIgniter 1.6.1. In addition to the version bump of the upstream distribution, I also added some new bits to allow customization of certain CI files. The port is also careful to avoid removing those modified files when a new port upgrade comes along.

The reference for how to handle user-configurable files installed as part of a port can be found in the excellent FreeBSD Porter’s Handbook in the Configuration Files section.

In the new CodeIgniter port, the following user-configurable files are installed:

<INSTALL_DIR>/index.php
<INSTALL_DIR>/index.php.sample
<INSTALL_DIR>/system/application/config/autoload.php
<INSTALL_DIR>/system/application/config/autoload.php.sample
<INSTALL_DIR>/system/application/config/config.php
<INSTALL_DIR>/system/application/config/config.php.sample
<INSTALL_DIR>/system/application/config/database.php
<INSTALL_DIR>/system/application/config/database.php.sample
<INSTALL_DIR>/system/application/config/hooks.php
<INSTALL_DIR>/system/application/config/hooks.php.sample
<INSTALL_DIR>/system/application/config/mimes.php
<INSTALL_DIR>/system/application/config/mimes.php.sample
<INSTALL_DIR>/system/application/config/routes.php
<INSTALL_DIR>/system/application/config/routes.php.sample
<INSTALL_DIR>/system/application/config/smileys.php
<INSTALL_DIR>/system/application/config/smileys.php.sample
<INSTALL_DIR>/system/application/config/user_agents.php
<INSTALL_DIR>/system/application/config/user_agents.php.sample

What this does is install a reference copy of each file (*.sample) that is not expected to be edited by the user. The actual file that CodeIgniter uses to render pages (no .sample suffix) is user-configurable as needed.

Then some crazy-looking shell code in the pkg-plist file makes sure that any edited files are not removed if the port is deinstalled or upgraded (reformatted for readability):

This concept needs to be implemented in several of the other ports that I maintain, including CakePHP and Prado. If anyone has a list of files that are user-configurable in each of those frameworks, please send it along!

Keep in touch,
Greg
SourceHosting.net, LLC

Hi everyone,

I’m a bit late on posting to the blog, but I can explain! I took a vacation to Sedona, AZ last week (reason: here!) and didn’t have too much time to get online between marathon mountain-biking and hiking trips. I am planning some new posts for later this week, though.

In the mean time, I can show you a few pictures from the Sedona area. If you get a chance, definitely put this place on the list to visit. It is simply awe-inspiring!

Here’s a nice shot of the unnamed butte next to Soldier Pass that was lit with the evening sun as we climbed up to Devil’s Bridge:

(Topo map reference)

Hiking to the summit of Bear Mountain is an absolute must if you visit Sedona. This trip is the longest 5 mile hike I think I’ve ever been on. Bring tons of water and sunscreen, and make absolutely sure you follow the trail closely on the way down. Luckily, if you do get off-trail, it’s fairly easy to see where you should be going, i.e. not along the edge of Fay Canyon!

(Topo map reference)

Keep in touch,
Greg
SourceHosting.net, LLC

Hi everyone,

SourceHosting.net is still attracting a fair number of confused folks who think they’ve landed on the CVS pharmacy corporate site. This all started when we launched some new Google AdWords campaigns. Apparently, the folks viewing the ads on the Google AdWords Content Network aren’t terribly aware of what they’re clicking. Here are some recent sample inquiries:

<span style="width: 500px">*** *** ***
I have a CVS <span class="hl">Blood</span> <span class="hl">Pressure</span> Monitor and it keeps showing Full before the reading </span>

<span style="width: 500px">appears. How do I get rid of that word?.
*** *** ***</span>

Umm, reboot the monitor?

*** *** ***
I picked up a perscription [sic] at ny [sic] CVS store today and on the bottom of

the receipt there is a message:

" Your Extracare Accounr [sic] Information is incomplete. Please visit www.cvs.com/extracare "

Well, here I am........What does the mesage [sic] mean ??????
*** *** ***

I love this – “Well, here I am…” and the actual web site URL is included. If you really were “here”, I wouldn’t have received this message!

Ok, I guess the ads need to be configured with some negative keywords. Interestingly, the negative keywords “pharmacy” and “extracare” were already in the campaign, but I just added some more like “pharmacy” and “drugs”. Next step – turn off the ad delivery on the content network.

Keep in touch,
Greg
SourceHosting.net, LLC

Hi everyone,

Are you using the Perl SVN::Notify module to generate your Subversion commit notification emails yet? If not, go install it, and try out svnnotify. It generates very nice-looking text or HTML-formatted emails, and it has loads of options to make it do just what you want. Place as many svnnotify commands as you like in your Subversion post-commit hook script, and off you go.

Unfortunately, with a large number of developers and many different projects in your repository, your post-commit script may start to look like this:

svnnotify -r $2 -d -P "SVN Commit " -O -H HTML::ColorDiff -p $1 -t dev@company.com
svnnotify -r $2 -H  Mirror::Rsync -p $1 --rsync-host devserver.company.com \
    --to /usr/local/www/htdocs --rsync-delete=yes
svnnotify -r $2 -d -P "SVN Tag Creation " -O -H HTML::ColorDiff -p $1 \
    -x builder@company.com=/tags
svnnotify -r $2 -d -P "SVN Branch Creation " -O -H HTML::ColorDiff -p $1 \
    -x builder@company.com=/branches
svnnotify -r $2 -d -P "SVN Vendor Drop " -O -H HTML::ColorDiff -p $1 \
    -x vendormgr@company.com=/vendor
svnnotify -r $2 -d -P "ClientA Special Version Commit " -O -H HTML::ColorDiff \
    -p $1 -x dev@clientA.com=/branches/clientA

Yikes -that’s bound to keep any Subversion administrator up nights! However, help is on the way from Perl developer John Peacock.

John has created a nice wrapper around SVN::Notify named SVN::Notify::Config. This Perl module transforms the mess of command lines above to a cleaner, easily-editable form using YAML to express the desired svnnotify options.

The equivalent post-commit hook using SVN::Notify::Config is now:

#!/usr/bin/perl -MSVN::Notify::Config=$0
 --- #YAML:1.0
 '':
   PATH: "/usr/bin:/usr/local/bin"
 '/':
   handler: HTML::ColorDiff
   with-diff:
   no-first-line:
   subject-prefix: "SVN Commit "
   to: dev@company.com
 '/':
   handler: Mirror::Rsync
   to: /usr/local/www/htdocs
   rsync-host: devserver.company.com
   rsync-delete: yes
 '/tags':
   handler: HTML::ColorDiff
   with-diff:
   no-first-line:
   subject-prefix: "SVN Tag Creation "
   to: builder@company.com
 '/branches':
   handler: HTML::ColorDiff
   with-diff:
   no-first-line:
   subject-prefix: "SVN Branch Creation "
   to: builder@company.com
 '/vendor':
   handler: HTML::ColorDiff
   with-diff:
   no-first-line:
   subject-prefix: "SVN Vendor Drop "
   to: vendormgr@company.com
 '/branches/clientA':
   handler: HTML::ColorDiff
   with-diff:
   no-first-line:
   subject-prefix: "ClientA Special Version Commit "
   to: dev@clientA.com

That’s a lot more readable, and I expect it will be easier to maintain, even though there are more lines in the file. I’m still boning up on the YAML syntax and how this module uses it, so there may be some optimizations to be made. Feel free to send corrections!

The other thing I like about using YAML this way is it lends itself well to hooking into a notification management web interface, and that makes it even easier to keep those emails flowing where they should.

Keep in touch,
Greg
SourceHosting.net, LLC

Hi everyone,

Here’s a little trick I’ve been using for quick deployment of additional virtual disk space to the VMware VMs that comprise the SourceHosting.net service. The VMware Server installation includes the vmware-vdiskmanager tool for creating, renaming, expanding and generally messing about with virtual hard drives.

However, I don’t like running this tool to create a new 50Gb virtual disk in the middle of the day because it just slams the disk I/O channel. To get around the problem, I’ve created several disks of different sizes during off-hours and compressed them down for easy storage. Then when I need to provision a disk, I expand it, rename it and hook it to the virtual machine in Virtual Center:

So here are some compressed disk images for you (SCSI format):

• 10Gb (8391 byte download)
• 20Gb (16415 byte download)
• 50Gb (40373 byte download)
• 100Gb (80373 byte download)

Once downloaded, extract them as follows:

CAUTION: The resulting extracted files will be the actual size represented in the filename. They compress down so well because they are mostly empty space until they are hooked to a VM and a filesystem is created.

After I extract the files, I typically rename the virtual disk to something more meaningful, like the name of the mount point in my VM. This way, I can easily tell which virtual disk is used for what without consulting the VM config file. The disk rename command looks like this:

Simple!

Keep in touch,
Greg
SourceHosting.net, LLC