Monthly Archives: December 2010

Getting ready for IPV6

I’ve been regularly playing with IPV6 since mid-2006 when I first opened an account at SixXS ang got my first IPV6 tunnel up and running. Sadly at that point, there wasn’t much Point of Presence for tunnels, not even mentioning the state of native IPV6 networks…

Relatively recently my dedicated server provider started offering native IPV6 connectivity in their Nuremberg-based datacenter. They offer a /64 per server which should be plenty enough for most users and allows for stateless configuration of a single network. Unfortunately in my case, I’m running OpenVZ, LXC and KVM on that box, meaning multiple distinct networks with bridging and firewalls.

As I also wanted IPV6 connectivity for my home network and would rather have a single provider for both, I started looking at the current state of tunnel brokers to end up choosing Hurricane Electric who offer free IPV6 tunnels and one /48 network per subnet which is exactly what I needed. They have Point of Presence pretty much all around the world which means very low latency IPV6 for all my networks.
They also happen to be one of the two upstream providers of the ISP we use at the office.

So I started configuring my Vyatta (Debian-based router distribution) routers to handle the IPV6 tunnel, send Router Advertisement to all my networks (radvd), relay DHCPv6 to my DHCP server and firewall incoming traffic.
That was surprisingly easy, taking only a few minutes, copy/pasting the configuration provided by the tunnel broker and setting up the firewall rules.

I then made sure all my main services are working properly with IPV6, for now that includes, DNS servers, Web servers, Mail servers and shell access. Backported Natty’s isc-dhcp-server to 10.04 LTS and moved my DHCP to using it and created a minimal configuration to get stateless DHCPv6 to announce my NTP and DNS servers.
I also updated my public DNS to include AAAA records for all services that have dual-stack support and got my registar to add IPV6 glue records to my domain.

I’ve now been running that setup for a week or so for my home network, dedicated server and office network. Running wireshark for a few hours showed that almost half of my connections are IPV6 (mostly on my own networks).

I’ve been surprised to see how well Ubuntu Natty’s NetworkManager copes with IPV6 network. In my case, it successfully noticed the “other-config” flag in the router advertisement and started dhclient to grab the DNS and NTP configuration from the DHCPv6 server.

So I now have a working environment to developer the next generation LTSP-Cluster which is supposed to have complete IPV6 support from the first release.

Let’s hope we’ll see more IPV6 deployment in 2011.
Happy new year everyone !

Posted in LTSP, LXC, Planet Revolution-Linux, Planet Ubuntu | Tagged | Leave a comment

Having fun with containers

Not really having anything specific to do yesterday, I chose to have a bit of fun with sandbox.

I ended up installing a completely clean Ubuntu 10.10 in a VM with just an ssh server running.
I then installed sanbox from my PPA and appended the following line to my /etc/ssh/sshd_config:

ForceCommand sudo /usr/bin/sandbox -c "$SSH_ORIGINAL_COMMAND"

And this one to /etc/sudoers:

ALL ALL=NOPASSWD: /usr/bin/sandbox

Then restarted sshd.

The result is that any incoming ssh connection will be sent to its own sandbox with no direct access to the disk, no network available and won’t be able to see other user’s processes.
Connecting twice over SSH will give you two shells which won’t be able to see each other.

Posted in LXC, Planet Revolution-Linux, Planet Ubuntu, Sandbox | Tagged | 3 Comments

Want your own Edubuntu weblive ?

Since I announced Edubuntu WebLive 8000 users have been testing Edubuntu using it.

Edubuntu WebLive

After a bit of cleaning up and packaging, I’m now pleased to announce that the source code for both our Drupal plugin and the XML-RPC daemon is available on Launchpad: https://code.launchpad.net/vmmanager.

Drupal plugin

Features:

  • Provider the user interface for Weblive, like the one on: http://www.edubuntu.org/vmmanager
  • Gives a basic administration interface to enable/disable the NX servers and update all the text shown in the user interface
  • Code is PHP using the Drupal form APIs and php-xmlrpc to contact the ltsp-cluster-agent plugin

Installation is relatively trivial, just follow the README file in the branch.

ltsp-cluster-agent plugin

Features:

  • XML-RPC service (authenticated and using HTTPS) that Drupal uses to create new users
  • Database of all accounts ever created, their status and expiry time
  • Support for multiple SSH servers
  • Client to query the database (also over xml-rpc) to gather statistics or manually create/remove accounts
  • Code is python, using paramiko for SSH and storm+sqlite as ORM

Installation is straightforward as everything is packaged here: https://launchpad.net/~stgraber/+archive/experimental

ltsp-cluster-agent is a python daemon designed for use by LTSP and LTSP-Cluster. More on that in a later post.

The VM itself

For Edubuntu, our VMs are entirely automatically generated using debian-installer preseeding and KVM.
Unfortunately these scripts are not clean enough yet for me to release them, I’d expect to have them out very soon though.

The basic requirement for the VM is to have these packages installed:

  • ltsp-cluster-accountmanager (used to cleanup session leftovers)
  • freenx-server (the NX server)

We have recent versions of both in Revolution Linux’s PPA. ltsp-cluster-accountmanager is also in the archive since karmic and I’m hoping for freenx-server to enter the archive soon.

I’d also recommend removing the following packages as they caused some issues with Edubuntu WebLive:

  • network-manager, network-manager-gnome, network-manager-pptp, network-manager-pptp-gnome
  • jockey-common, jockey-gtk
  • rtkit

As usual, comments, patches and bug reports are welcome. I’d also be happy to hear from other deployments of WebLive !

Posted in Edubuntu, LTSP, Planet Revolution-Linux, Planet Ubuntu | Tagged , | 3 Comments

Announcing LDM 2.2 and LTSP 5.2.5

Today, I’m pleased to announce the release of both LTSP 5.2.5 and LDM 2.2.

Quite a lot of changes went in over the past few months, 25 commits since the last ltsp release and 82 for ldm.
Here’s a quick overview of what’s new.

Big LDM refactoring and cleanup

Almost a year ago, my company got some funding from the NLNet foundation to work on a few LTSP and LTSP-Cluster related projects. One of them was to make LDM extensible, moving it to a plugin infrastructure and making it’s interface a bit more flexible.

I’m glad to announce that all of that work landed upstream almost two months ago and since then has been cleaned up and tested.
From a user experience point of view, the only noticeable change should be that the same login screen can now be used for Linux (ssh), Windows (rdp) login and for fat clients.

From a sysadmin/developer point of view, a lot changed:

  • Support for multiple backends. The old SSH backend as been ported to the plugin infrastructure and an RDP plugin has been written. A pam/libssh plugin should soon replace the current SSH plugin
  • Switched to using multiple windows and a window manager instead of our old fullscreen window. It should make it a lot easier to add more widgets to the login screen.
  • New logging functions with different logging levels and standardized logging output with syslog support

LDM 2.2

Remote apps support

It’s now been a few years since we have local applications supported in LTSP. It’s greatly improved over the years to get to what we currently have in LTSP.
The biggest issue of it was that if you start a software like firefox as a localapp and click on a .pdf/.odt/… document in it, it won’t be able to open them unless the required viewer is also a localapp.

That’s now been fixed thanks to the work done by Marc Gariépy and Gideon Romm during the last LTSP hackfest in Southwest Harbor, ME.
ltsp-remoteapps is a new command that can be assigned to mimetypes on the thin client and will open the viewer on the application server.

For the user, this means that if they click on a .odt document in their local firefox, it’ll now automatically open it in OpenOffice Writer on the application server.
Giving the desktop-like experience that was missing for local applications.

Other than these two big changes, we had our usual set of bug fixes, cleanup and translation updates.

Packages for Ubuntu Natty are already available and a backport for Ubuntu 10.10 (Maverick) is available in my PPA: https://launchpad.net/~stgraber/+archive/ppa

Posted in LTSP, Planet Revolution-Linux, Planet Ubuntu | 3 Comments

sandbox 0.2 released and packaged !

Yesterday, while enjoying the snow falling outside (finally!) I went through my TODO list for sandbox and implemented most of what was on it.

Ext4 support for the copy-on-write partition

You can now have the copy-on-write stored on disk instead of RAM memory (tmpfs).
The tmpfs support is still available as an option for these who have plenty of RAM or don’t have a separate /home (due to the aufs limitation).

Nautilus extension

sandbox now has a nautilus extension which lets you start any executable binary/script directly in a sandbox.
sandbox nautilus integration

Updated GUI

The GUI is no longer showing any option by default and just “does the right thing” (in most cases).
sandbox new gui

All the options being hidden behind “Show sandbox options”.
sandbox new gui advanced

Released and packaged it

Finally, I released sandbox 0.2 (0.1 wasn’t in a packagable state) and packaged it for Ubuntu Natty Narwhal.
It’s made of 3 different packages:

  • sandbox: The command line utility and the C part.
  • sandbox-gui: The python GUI and .desktop file (Applications -> System Tools -> sandbox)
  • sandbox-nautilus: The nautilus extension, you need to restart nautilus to have it to load

The packages (for natty) can be found in my experimental PPA: https://launchpad.net/~stgraber/+archive/experimental/
and code is still available at: https://code.launchpad.net/~stgraber/+junk/sandbox

sandbox running software

For now, everything is called “sandbox” which is more of a concept than an actual project name. As it’s becoming more and more of an actual project and I’m quite bad at finding good names, I’m open for suggestions of a better name for that thing.

Update: Release 0.2.1 which auto-detect separate /home partition and fall-back to tmpfs when necessary. Packages are available for Natty (Ubuntu 11.04) and Maverick (Ubuntu 10.10).

Posted in LXC, Planet Revolution-Linux, Planet Ubuntu, Sandbox | Tagged , | Leave a comment