Al Hoang

For an Apache user, coming to IIS can be a little disorienting. One thing

you’ll eventually come across is wanting Virtual Hosts. Here are some

links I found useful in telling you where in the forest of menus you can

enable it:

IIS Answers

MSDN’s very own

These I found useful in helping identify pieces that need to be looked at if

you want to lock down an IIS server before putting it online:

U of Washington’s Guidelines

Security Focus Guidelines

I’ve been playing with JOnAS lately and have been puzzling out how to get

RMI working through a firewall. Normally RMI uses dynamic ports which

represents pain and suffering if you want to use JMX. The documentation

for JOnAS is located

here. After glancing at the JOnAS config I was disheartened to find it

wasn’t just ’set the RMI port’. It was set the port for a particular protocol

RMI will run over:

Oh great. All those wonderful docs on JMX that I read

before didn’t exactly mention I’d have to

choose the transport protocol for RMI. Why is it everytime you try to learn

more about Java stuff it’s like falling into the rabbit hole?

So after poking around I found what I was looking for in the Javadocs

on JMX here. This is what the docs say:

So there you have it. By DEFAULT JMX will default to using JRMP but it

can also use IIOP. Lots more Java acronym soup to figure out.

References:

• My previous encounter with JMX and firewalls

• Getting RMI working with JOnAS through a firewall hints

• JMX JavaDocs describing RMI protocols.

Penguin Pete took a whirlwind test drive of Plan 9 and posted a review

here. I found his review quite

informative and I learned a bit from his travails trying to get the hang of

Plan 9. One thing that was disappointing was reading his comments. It

seems there are some people who have to flaunt their knowledge…

While I can understand the viewpoint of the nasty commentor to some extent.

It is that type of attitude that can easily turn me off. If you

look at it from the person trying to step into something new…

it is hard enough slipping out of

some well-worn shoes to try out those new fangled sneakers without being

ridiculed for it. (No good deed goes unpunished?)

I don’t find it acceptable behavior to being snapping at someone when

they honestly don’t know and are not trying to be malicious. However

there are times when I would snap. Here are couple of situations

where I would:

• It’s pretty obvious they are trying to slander X
• They have been repeatedly told the SAME thing over and over and REFUSE

  to follow said advice and continue to complain.

Read the review yourself.

Here’s one expat’s impressions after spending a year in Vietnam. He compares

it to life in China…

Read it yourself

-Jeffrey Friedl

Read it yourself

If you are one of those waiting to get onto the HD bandwagon I’m

sure you’re now wondering which format will win out. Blu-Ray or

HD-DVD. I have no answers but Cracked.com

has a rather tongue-in-cheek

breakdown

on the format wars

My personal opinion? Stay away until the dust clears if you can live

without being able to see the nose hairs on all your favorite actors.

Read it yourself

This looks very cool

If the picture doesn’t seem clear, it’s a little robot that acts

as a portable mini speaker for your music devices

Thanks to Gizmodo for digging this up from

Quick Journal.

This looks very cool

If the picture doesn’t seem clear, it’s a little robot that acts

as a portable mini speaker for your music devices

Thanks to Gizmodo for digging this up from

Quick Journal.

One day I started having issues with my clients trying to mount or re-mount a NFS share. Here’s what it looked like:
On machine 1:
$ mount /shared
mount: RPC: Program not registered


On machine 2:
:~$ mount /shared
mount to NFS server ‘nfs’ failed: server is down.

I have something like /shared as a shared NFS directory.
After scritching my head I decided to google for both messages.
The first led me to here:
UbuntuForums on NFS Server issues
and here:
FreeBSD Diary on NFS Portmap

I found that the second link actually led me to my answer. If you reboot your NFS server. Sometimes the clients might not be able to see mount NFS partitions. Try restarting the NFS server process on your NFS server in order to fix it.
For Ubuntu/Debian it’s quite easy. Use nfs-kernel-server in /etc/init.d. Here is a sample log:

sudo /etc/init.d/nfs-kernel-server restart
* Stopping rpc mountd...                                                [ ok ]
* Stopping rpc nfsd...                                                  [ ok ]
* Unexporting directories for NFS kernel daemon...                      [ ok ]
* Exporting directories for NFS kernel daemon...                        [ ok ]
* Starting rpc nfsd...                                                  [ ok ]
* Starting rpc mountd...                                                [ ok ]

Well I got hit by this bug and it’s really annoying. On reboot of a
Linux box I’m working with I noticed the system clock was majorly skewed.
Since I wasn’t running anything really critical, I decided to update the time
via ntpdate so all the system clock would ‘right’ itself out. Then I get
the following when I try to sudo

$ sudo ls
sudo: timestamp too far in the future:

Wonderful. If you don’t already have ‘root’ access in Ubuntu you can’t
sudo to get to root so you’re stuck. If your clock was running too fast
and you synced it back to the right time it should be possible to wait until
the ‘right’ time if it’s not too unreasonable a wait. OR if you have
root you can do this:

# rm -r /var/run/sudo/

This clears out the cache for your userid that sudo keeps so you can sudo again.
Yet another example of something that looks well in a secure sense can
cause weird breakage way way down the line.

A helpful
forum thread about this problem in Ubuntu

This time they’re researching…. solar cooled beer! Won’t solve poverty
but will solve lots of other problems.

Read it yourself. Thanks to Gizmodo for digging this up.

No comment

So I read some articles ( [1], [2], [3]) on a really nice piece of technology called Java Management Extensions (JMX) that allows you to:

• Watch memory usage of a Java JVM in real time
• Allows this to be done remotely as well as locally
• Offers a very nice GUI called JConsole
• Allows you run the garabage collector on the Java VM (I think) in order to try to reclaim unused memory

After reading this I was convinced it was the greatest thing since sliced bread and started enabling it. My first shot at following the instructions above was a failure. I didn’t connect to anything. After some network tracing and head scritching I googled around and found people also had similar issues ( [4], [5], [6], [7], [8] ). The problem revolves around the fact that JMX relies on some older Java technology called RMI.

RMI by default uses a model that is very similar to Sun’s RPC mechanism which means it uses dynamic ports to be able to communicate between a client and a server. Dynamic ports is a big problem when you have a firewall configured on your host. So all the instructions in [1], [2], and [3] are completely useless if you have a firewalled configuration. The port setting that you are giving in those instructions is merely for a serviced called the RMI registry whose main job is to listen for connections then tell the client to connect to some dynamically assigned port on the server.

However it IS possible to write some Java glue code to statically assign a listening port for the RMI server. This is documented in [5], [6], and [7] however I found the documentation a little bit lacking if you don’t really know web programming in Java really well. For example where do you put the code snippets? Why are they using a static method if it’s going into a servlet? (As far as I know you should put it in init() and NOT make it static if you want to follow the Servlet API) Where do you drop this into Tomcat? Do I need to configure one of those aggravating XML config files? So, here is my (sorta) step-by-step process for enabling JMX on Tomcat with a firewall for those of us who aren’t Java experts but can read a little bit on Java Servlet Programming to figure out how to make a simple webapp:

1. Decide on 2 ports to open up on your firewall.
   I chose 9999 and 3000. 9999 is my RMI Registry listener and 3000 is where the RMI server is
2. Create a servlet that you will copy as a webapp into your Tomcat directory.
   For my webapp, I call it JMXPortServer
3. You can use servlet code like the following (Stolen MOSTLY from the links
4. I created a file called JMXPortServer.java for the object JMXPortServer.
   This file will go into $WEBAPP_HOME/WEB-INF/classes/ when it’s compiled. Here is what went into my JMXPortServer (It’s basically stolen from the links above with some changes to follow the Java Servlet API.

   import java.io.IOException;
   import java.io.PrintWriter;
   import java.lang.management.ManagementFactory;
   import java.rmi.registry.LocateRegistry;
   import java.util.HashMap;
   
   import javax.management.MBeanServer;
   import javax.management.remote.JMXConnectorServer;
   import javax.management.remote.JMXConnectorServerFactory;
   import javax.management.remote.JMXServiceURL;
   import javax.servlet.ServletException;
   import javax.servlet.http.HttpServlet;
   import javax.servlet.http.HttpServletRequest;
   import javax.servlet.http.HttpServletResponse;
   
   public class JMXPortServer extends HttpServlet {
           private static final long serialVersionUID = 1L;
           static JMXConnectorServer cs;
           static String jmxHost;
   
           public void init() throws ServletException {
                   try {
                           // Start rmi registry
                           System.out.println("Create the RMI registry on port 9999");
                           LocateRegistry.createRegistry(9999);
   
                           //      Instantiate the MBean server
                           System.out.println("Get the platform's MBean server");
                           MBeanServer mbs = ManagementFactory.getPlatformMBeanServer();
                           //  Environment map
                           System.out.println("Initialize the environment map");
                           HashMap env = new HashMap();
   
                           //      Create an RMI connector server
                           System.out.println("Create an RMI connector server");
                           JMXServiceURL url = new JMXServiceURL(
                           "service:jmx:rmi://localhost:3000/jndi/rmi://localhost:9999/server");
                           JMXConnectorServer cs =
                                   JMXConnectorServerFactory.newJMXConnectorServer(url, env, mbs);
   
                           // Start the RMI connector server
                           System.out.println("Start the RMI connector server");
                           cs.start();
                   } catch (Exception ex) {
                           System.err.println(ex);
                   }
   
           }
   }
   

5. Create a web.xml that will go in $WEBAPP_HOME/WEB-INF/web.xml.
   Click Here to download a suitable web.xml file ( Viewing XML in HTML is a pain)
6. In your web.xml file you need to be sure you have an XML tag with load-on-startup.
   This will ensure that this servlet is loaded when Tomcat starts up rather than when Tomcat feels it is appropriate. (I got bit by this one)
7. Now you should be able to make a warfile from the pieces shown above and drop this into Tomcat.
8. I think you need to also set -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false in your JAVA_OPTS (JVM Options) (For Tomcat look in $CATALINA_HOME/bin/setenv.sh for a good place to set this)
9. This warfile you can now just drop into Tomcat and it will always start up the JMX Console so you can monitor things
10. To connect with JConsole you’ll need to enter the following URL service:jmx:rmi://myserver:3000/jndi/rmi://myserver:9999/server.
    Make sure to substitute the name or IP address of your server with myserver

Caveats

• I’ve done nothing about security here. From here on you’re on your own
• The code is REALLY ugly (I could fix a lot) but I know it works
• I could be doing something wrong but since I’m not a Java ninja… oh well.. someone can email me and point it out

References

AMIS: Modify Spring Beans and log4j levels via JMX
O’Reilly: Monitoring Local & Remote Apps using JMX
JBoss: Using Jconsole
Penrose: Can’t connect to a remote penrose server
Java Forums: Port redirection problems and RMI
Tomcat Bug 39055: Firewall access for JMX
JConsole through a firewall
JMX-RMI-SSL

I’m trying to get the hang of Eclipse
and I always seem to find myself getting annoyed with all the documentation
I find for newbies. My goal is the following:

Install an Eclipse plugin under Linux

Sounds simple, right? Well here are some my system configuration settings
that I feel are relevant:

• I’m running Ubuntu Dapper
• I installed Eclipse via ubuntu’s package management tool

So here are some immediate solutions I thought of…

• Become root and install into /usr/share/eclipse/plugins
• Pros
• Since I’m the sys admin, it’s easy to do
• Straightforward to me and maps to the same notion in Windoze
• Cons
• If I deinstall Eclipse for some reason or upgrade, what happens to my
  plugin?
• Why do I need to become root?
• Doesn’t Eclipse have some facility for reading plugins per-user?
• Open up the Help in Eclipse and search for Plugin
• I ended up getting tons of documentation on how to MAKE a plugin but…
• Where’s the docs on installing a plugin?
• Where’s the docs explaining where Eclipse reads plugin information from?
• Where’s the docs explaining what dirs I need to look for plugins?
• Where’s the tutorial for installing plugins?
• Install my own version of Eclipse in my home directory
• Pros
• Straightforward to me
• No need for root
• I can get the latest and greatest!
• Cons
• Didn’t I just toss out the usefulness of my package manager?
• I don’t care about latest and greatest, I just want working
• More disk space wasted
• I bet it’s going to ask me to compile something…

After googling around finally I finally hit on a link that explains it properly.
To save you the same aggravation as me here’s the
link and here’s the
Google search I tried that worked. So far I have to say this is on par for most
products that have come out of the Java camp. Documentation is plentiful, just
not the documentation you need or want to achieve your goal. Of course, the
excuse that ‘Google is your friend’ comes up often. So much for documentation…

Install Eclipse plugins as a normal user in Linux