'PACC: Week VIII'

On this week, I was dealing with problem of VM connection with host servers in libvirt. I have set aside the variant of using VDE, and continued to work on other possible solutions.

One of the solutions was using of MacVTap. What is MacVTap?

MacVTap is used to establish the direct connection of VM to the physical Ethernet adapter as with the host bridge network, the guests will effectively be directly connected to the physical network so their IP addresses will all be on the sub-net of the physical network, and there will be no restrictions on inbound or outbound connections.

Important note is due to a limitation in the implementation of MacVTap, these connections do not allow communication directly between the host and the guests.

Changes in .XML file of VM

In the .XML file of the guest OS I have changed the configuration of the network from the default to the direct, and found out that in guest machine appears an Ethernet connection with sub-net address is similar to our lab internet connection. 192.168.19.XXX

After some ping tests I have noticed that I cannot ping the host and guest machines from each other, while VMs on different hosts can communicate with each other.

In order to keep the connection of the host network and VMs created on one host, I have established the isolated network which allows us direct communication of the host and guest.

From the tutorial:

There is an alternate solution which preserves Network Manager compatibility while allowing guest and host to directly communicate. In short, the solution is use libvirt to create an isolated network, and give each guest a second interface that is connected to this network; host<-->guest communication will then take place over the isolated network.

1) Save the following XML to /tmp/isolated.xml:

isolated

(if the 192.168.254.0/24 network is already in use elsewhere on your network, you can choose a different network).

2) Create the network, set it to auto-start, and start it:

virsh net-define /tmp/isolated.xml virsh net-autostart isolated virsh net-start isolated

3) Edit (using "virsh edit $guestname") the configuration of each guest that uses direct (macvtap) for its network connection and add a new in the section similar to the following:

<-- This line is optional.

4) shutdown, then restart each of these guests.

Finally, I have two new network interfaces one is the etho0, which provides the guest VM with internet connection and another interface which keep the connection of host and guest on the same machine (with own IP address bun pingable).

Here links to the tutorials that I've used:

http://libvirt.org/formatnetwork.html#examplesDirect

http://seravo.fi/2012/virtualized-bridged-networking-with-macvtap

http://wiki.libvirt.org/page/Guest_can_reach_outside_network,but_can't_reach_host(macvtap))

Tested solutions

Firewall

1)I've figured out that possible problem of VMs connection on a different host servers might lie under the settings of Firewall which might block the incoming and outgoing signals. I have disabled it on a both host and guest computers using program called Gufw.

Gufw is an open source graphical user interface (GUI) for Uncomplicated Firewall. However this has not solved my problem. VM still could not communicate with each other.

ICMP protocol

2) I've looked under the ICMP protocols which, was also might filtering the outgoing and incoming signals to ping.

I've tried to change sysctl.conf files in order to setup IPv4 forwarding, and add some rules to the iptables, but it still did not influenced on a general problem.

Developing Android Application 7

Weekly Review:

Finally I finished with accelerometer. This time I changed my method of dealing with that question. Instead of counting distance moved, I preferred to count step or changes in accelerometer, So, I used accelerometer data to find general linear acceleration and if it was greater 0.48(probably value required to make a step). Then I added located the orientation by orientation sensor and moved towards right angle. This time, I considered that I would move in labyrinth(only one direction move) and collected data of changing angle in degrees by orientation sensor and combined it accelerometer values.  Later I drew  background by matrices of true(wall) and false(empty space) and by using maze located my target on initial position, If I can move to the preferred  direction, sensor data's will change my position in map matrices and redraw it. I located initial position(where we can move) of each map by saving index by preferences table. Also, I added background music. I uploaded my initial movement project (Direct) in DropBox

'PACC: Week 8'

When I was setting PAM authentication via LDAP I noticed one undesirable thing. When I log into the machine as an LDAP user it sometimes mixes up LDAP and local users. For instance, the user akim can access the home directory of csc-151-1 (even though they have different home folders). You can see the example below. Untitled

However it is only like this for a limited number of LDAP users. Others are okay and displayed fine both in terminal and indicator-applet-session panel and also have correct rights to others' home directories. I didn't find the reason and also other people who encountered this problem. So I think that would be a good idea if we had either LDAP users, either local users only.

I found a working way of making automatically created private home directories. I also reviewed LDAP-PAM authentication and removed a couple of unnecessary steps.

So earlier, I finished the part of the project which was about LDAP. So I decided to work a bit on setting centralized synchronized authentication. This is not my task and it is likely that we won't use it at all but I think that would be at least a nice feature to have (and I also did it just in case we need this in the future).

I chose NFS as a file server. Set up NFS server and a couple of NFS clients. It worked well and the directory of one user was the same within the clients. Then I had to establish quotas, so that one user could not have lots of disc space on the server. I used quota and quotatool packages. So now, when a user tries to exceed the limit on the client machine, the error message is displayed and limit is not exceeded.

In brief, here are the steps to set up NFS:

apt-get install nfs-kernel-server

For example, you want to share /LDAPstore folder on your server. You need to edit your /etc/exports/ file. `nano /etc/exports/`

and insert the following line:

/LDAPstore *(rw,sync,no_subtree_check,no_root_squash)

Then, restart the server:``

service nfs-kernel-server restart On the client machine:

apt-get install nfs-common_

Let's say, we want to mount /home/LDAPusers folder. You need to edit /etc/fstab file.

nano /etc/fstab

Append the following (assuming that the server hostname is sst7422-17):

sst7422-17:/LDAPstore   /home/LDAPusers  nfs defaults 0 0

Mount the chosen directory:

_ mount /home/LDAPusers_

To set up quotas, I found this website most useful.

Android 1.4

Last week I tried to work with tiled map editor. I found that we need GDX library to work with it. I looked through with some tutorials and tried to run some of their examples. However, in android developer they did not run. The strange thing is there is no error in android project inside, but overall the project marked with warning mark. I checked all prerequests and pathes. It did not help. I workes with java 6 as I found in the internet suggested to use java 6. But, it did not work as well. Also, there is an open sourse AndEngine, which use tiles map. I downloaded it, but found its code too difficult to understand. Ultimately, I found a tutorial where the map could be made with help of simple matrix. I changed the UI a lot. Now, the project look like this 1

2

3

4

Clearly, there will be other significant changes

To do - to help Damir with integrating my code with his - to modify UI - to make options menu Current errors: - when I open play dialog window options dialog window appears - I change the color of play dialog window to black and then the project did not compile in any mobile device only in emulator (I deleted the code, but the problem did not sovle)

PACC Week 5 Report

I joined my colleague Temirlan, now we are trying to setup connection between VMs that are hosted on different machines. I started by setting up my webvirtmgr servers. Now I have 2 servers each running 2 VMs. To do this I used links that I found at Temirlan's post and also his help.

Owncloud Week 4 Report

In order to test alternatives to owncloud, VirtualBox with Debian was installed. I plan to test there Owncloud running on Nginx+Mysql combination, since the main server in our lab is running on Debian. I am also planning to install Seafile and OX, in order to research which of the following cloud services is a better solution to our project. Now I am facing the problem of the OX server authentification, need to resolve this, and continue the configuration. Information on Ajaxplorer: http://ajaxplorer.info/ Here is the link to the OX installation tutorial http://oxpedia.org/wiki/index.php?title=Open-Xchange_Installation_Guide_for_Debian_6.0_622

PACC: Week VII

After finishing my work on the acceleration of the VMs on my host server, with SPICE implementation I continued to work on the problem withconnection of VMs of different hosts

In past days my work was mostly done on an implementation of VDE2(Virtual Distributed Ethernet)

VDE is the Virtual Distributed Ethernet. You can use it to connect virtual machines or linux boxes or any combination of the two. Like a real modern Ethernet network a VDE is composed by switches and cables. Each switch has several sockets where machines can be "plugged-in".

Tools used for setting up following VDE network are:

  • vde_switch - a virtual switch

  • dpipe - two-way pipe here used to connect two switches

  • vde_plug - connects virtual machine (VM) to a switch

  • vde_plug2tap - connect tap device to a switch

  • qemu - for running VMs

So, finally I got my switch daemon running, and I recompiled the KVM with VDE switch option enabled. However, I faced soem problems with connection of switch and tap interfaces. I gonna figure out how to do that in correct way, that's my milestone for next days.

Developing Android Application 6

Weekly Review:

Changed formula for acceleration. Now I have instead three different acceleration one linear acceleration.

lin_accel = Math.sqrt(accel_x^2+accel_y^2+accel_z^2) - earth gravity

Now by this data I can move only forward or backward. I want to use data from gyroscope and detect angle of rotation. Despite I added low pass filter, accelerometer data is quite unpredictable and my object instead of moving to one side, jumps from side to side.  So, I stopped here trying to find solution. I need complex mathematical formula. Found similar project in research centre in Spain(here is their website http://roodin.crs4.it/). Look to this video http://www.youtube.com/watch?v=HTZFRDBdQck&feature=related. I asked them to guide me. Hopefully after finishing this part I will work on combination maps and my code.

Transparent Proxy Week 4 Report

This week's task was to install and run squid transparently. Unfortunately I figured out that DNS server is not working, I don't know why, but at least I know that it was working when I installed it. I guess when I was experimenting with Squid I have messed something up.

So first step was to reconfigure DNS server. In default configuration file I changed/uncommented some lines /etc/named.conf.


listen-on port 53 { 127.0.0.1; 192.168.56.2; }; # don't forget ";" after IP address, server won't run because of this
listen-on-v6 { none; };
logging {
channel syslog_errors {
syslog user;
severity error;
};
category default { syslog_errors; };
};

Then add DNS server to auto-run by


sudo chkconfig named on

Give some rights for working directory


sudo chown -R named:named /var/lib/named/

Then I configured forward and backward lookup by using Yast


The reverse zone: 56.168.192.in-addr.arpa
NS Records: server2.sslab.site
Records: Record key-2; Type-PTR; Value-sstlab.site

The forward zone: sstlab.site
NS Records: server2.sslab.site
MX Records: server2.sstlab.site; Priority-5
Records: server2 A 192.168.56.2
client1 A 192.168.56.3
client2 A 192.168.56.5

You should verify if DNS is working by using commands:


dig server2.sstlab.site
nslookup client1.sstlab.site

If it is working right you will see IP in answer section, try it from all machines, in my case they are client1, client2, and server2. Useful link

Second step was to install and configure Squid. Installation is pretty easy


sudo zypper install squid

My configurations in /etc/squid/squid.conf


acl localnet src 10.0.0.0/8
acl localnet src 172.16.0.0/12
acl localnet src 192.168.0.0/16
acl localnet src fc00::/7
acl localnet src fe80::/10

acl sstlan src 192.168.56.0/24 # our network

acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
access_log /var/log/squid/access.log
http_access allow localhost manager
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost

http_access allow sstlan # allow access from our network

http_access deny all

http_port 3128 transparent # allow transparensy

cache_dir aufs /var/cache/squid 5000 16 256
coredump_dir /var/cache/squid
minimum_object_size 2 KB
maximum_object_size 61440 KB
refresh_pattern ^ftp: 1440 20 10080
refresh_pattern ^gopher: 1440 0 1440
refresh_pattern -i  (/cgi-bin/|\?) 0 0 0
refresh_pattern . 0 20 4320

visible_hostname sstlab.proxy # hostname

cache_peer 10.1.1.10 parent 3128 0 no-query default # shows that there is a parent cache
never_direct allow all # more on this [here](http://wiki.squid-cache.org/Features/CacheHierarchy)

cache_log /var/log/squid/cache.log
cache_mem 8 MB
cache_mgr aismagambetov@nu.edu.kz
cache_replacement_policy lru
cache_store_log /var/log/squid/store.log
cache_swap_high 95
cache_swap_low 90
client_lifetime 1 days
connect_timeout 2 minutes
emulate_httpd_log off
error_directory /usr/share/squid/errors/af
ftp_passive on
memory_replacement_policy lru

The last step was to configure firewall so that for ports 80 and 3128 it will use a proxy. In /etc/sysconfig/SuSEfirewall2


FW_REDIRECT="192.168.56.0/24,0/0,tcp,80,3128"

Now machines can surf the internet without any proxy.

The last thing I did was whitelist, blacklist implementation. This is squid.conf file with blacklist and whitelist.


acl sstlan src 192.168.56.0/24 # our network
acl white url_regex "/etc/squid/whitelist" # Whitelist location
acl black url_regex "/etc/squid/blacklist" # blacklist location
acl admin src "/etc/squid/admin" # IP addresses that won't be blocked by white list
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
http_access allow localhost manager
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access allow sstlan white # sstlan will use only whitelist sites
http_access deny admin black # admin ip's won't be allowed to go to blacklist sites
http_access allow admin
http_access deny all
http_access deny to_localhost
http_port 3128 transparent
refresh_pattern ^ftp: 1440 20 10080
refresh_pattern ^gopher: 1440 0 1440
refresh_pattern -i  (/cgi-bin/|\?) 0 0 0
refresh_pattern . 0 20 4320
visible_hostname server2.sstlab.site
cache_peer 10.1.1.10 parent 3128 0 no-query default
never_direct allow all
access_log /var/log/squid/access.log
cache_dir aufs /var/cache/squid 5000 16 256
coredump_dir /var/cache/squid
cache_log /var/log/squid/cache.log
cache_mem 8 MB
cache_mgr aismagambetov@nu.edu.kz
cache_replacement_policy lru
cache_store_log /var/log/squid/store.log
cache_swap_high 95
cache_swap_low 90
client_lifetime 1 days
connect_timeout 2 minutes
emulate_httpd_log off
error_directory /usr/share/squid/errors/en-us
ftp_passive on
memory_replacement_policy lru
minimum_object_size 2 KB
maximum_object_size 61440 KB

Weekly meeting 26.07.2013

Professor Michael Lewis:

  • Told good news from Samsung meeting(internship in Samsung office in Moscow, Samsung Lab and Samsung devices)

Asset:

  • Succeeded in setting up transparent proxy by proxy server SQUID, wants to join to Assulan
TODO: Talk with Shyrailam and collaborate with her






### **Alexandra:**


- LDAP secure connection doesn't work using STARTTLs but works over SSL/TLS. Change some setting in Aldab and connected to OwnCloud

TODO: look at NFS and try to configure it




### **Yerkanat:**


- Working on OpenStack

TODO: will finish OpenStack soon






### **Alexandr:**


- Almost finished M23

TODO: Help Yerkanat to finish OpenStack






### **Raushan:**


Found Tiled map editor and learned it.

TODO: Create final user interface, combine user interface and map, create a source code for maps




### **Damir:**


Changed moving formula, tried to combine result of gyroscope and accelerometer data. Found similar existing project in Spain

TODO: Look through internet for accurate formula, wait answer from research center in Spain






### **Temirlan:**


Worked on the virtualization stuff, solving problem with the connection of the virtual machines of different hosts by using VDE2. Has faced problems with switches, will be using dpipe.






### **Shyrailym:**


was working on KVM and VDE

TODO: to connect virtual network on different hosts