The basic idea is to move application servers into LXC containers while keeping the HTTP server part (which is also responsible for hosting static files) on the host system. Normally an incoming request would be handled by an HTTP server on the host as well as by an HTTP server on the virtualized client: browser -> http server(host) -> http server (guest) -> app-server (guest) I’m configuring the host HTTP server to directly communicate with the app worker, thus: ...

KVM was an improvement over Xen for me. Still for many use-cases a LXC are a more performance, light-weight alternative – which also seems to be en vougue nowadays. Through switching to LXC I’ve reduced my overall memory usage a bit – the main benefit is, that processes within an LXC container are separated processes within the host system. This should allow the host system to manage memory (think cache, buffers, swap, etc.) more efficiently. ...

I’ve been using KVM and virt-install to manage virtual machines on one of my servers, this post shows how to use virt-install. According to the package management system I’m having the following packages installed: root@edgewalker ~ # dpkg -l | grep virt ii libvirt-bin 1.1.1-0ubuntu8.1 amd64 programs for the libvirt library ii libvirt0 1.1.1-0ubuntu8.1 amd64 library for interfacing with different virtualization systems ii munin-libvirt-plugins 0.0.6-1 all Munin plugins using libvirt ii openvpn 2.3.2-4ubuntu1 amd64 virtual private network daemon ii python-libvirt 1.1.1-0ubuntu8.1 amd64 libvirt Python bindings ii qemu-kvm 1.5.0+dfsg-3ubuntu5 amd64 QEMU Full virtualization on x86 hardware (transitional package) ii virt-top 1.0.7-1 amd64 show stats of virtualized domains ii virtinst 0.600.4-2ubuntu2.1 all Programs to create and clone virtual machines Storage-wise I’m using a LVM volume group called ‘vg0’ (which was imported into the libvirt configuration). ...

After I’ve tried setting up a rogue access point using squid and hostapd I’ve seen that KDE’s network-manager offers host access-point functionality. How easy is it to combine this with BURP for an SSL man-in-the-middle attack? Well some GUI clicking and 3 command line invocations.. The Hardware I bought two USB 802.11n wireless adaptorts on deal extrem, so far both of them work as an access point: a small whitish one for $5.55, perfect for working “undercover”. This was supported by a standard Ubuntu 13.10 installation. a larger one for $8.92, should have a better reception as it has an antenna (you see that I’m a software guy). Be aware that you’ll need a recent Kernel for this version, Kernel 3.13 in the upcoming Ubuntu 14.04 supports it. Setting up the Hardware Hostap was rather hard to setup, how is KDE faring? You can add a new “Wireless (shared)” network connection within the network manager (this was done with the network-manger in KDE 4.12, KDE 4.13 looks similar). ...

I’m always reading about dangerous rogue access points but never actually have seen one in action. So what better than create a test setup.. Hardware for this test setup will be my old linux notebook (a macbook pro) as fake access point a small deal extreme network card (Ralink 5070 chipset). I’ve actually bought three differnet wireless cards for under $20 and am trying out the different chipsets. This card is rather small (like an usb stick), so it isn’t to conspicous The basic idea is to use hostap to create a virtual access point. Would I be a hypothetical attacker I’d call it ‘starbucks’, ‘freewave’ or name it like some coffee shop around the corner. I’m using the notebook’s included wireless card to provide an internet uplink. To achieve this I will have to compile a custom version of squid (including ssl support). I’m using Ubuntu 13.10 for this, other linux distributions would work the same. ...

Yesterday was this year’s “Akademikerball” in Vienna. This is a continuation of the former WKR ball – which is used for right-wing networking across Europe and organized by the Austrian Freedom Party. This party in turn is a right-wing party: populist, xenophobic, haven of people with a far-right history. Opposed to this party were protests mostly organized by the left-ish social party and the green-alternative party. Police forces were using this event as a show-of-strength. Traditionally the executive is seen as the long arm of the people’s party (OeVP) – a party with historic roots in the christ-fascist party of the ’30s, the last decades it is more of a liberal-economic party. True to it roots freedom-of-press and the right-to-assemble were severely limited during the event. ...

It’s weakness. Well at least un-enjoyed luxury that has become an everyday event is. This has nothing to do with morals. Luxury costs money. Making money makes you dependant and consumes your free time, it reduces your financial freedom. So if you’re spending your life on luxury make sure that it counts and you’re enjoying it every moment.

Yeah, let’s make some new year’s resolutions so that I can feel bad breaking them. The big ones are: Stop smoking. And nail-biting. Both might be the same outlet of my nervousness, let’s see if I can get them under control. Start doing Yoga and/or Meditation again. To be honest, this will be needed to get resolution #1 to work. Continue climbing. Alas my left wrist joint seems to have suffered sometime last year – I’ll gonna go to the doctor, but might have to reduce my bouldering for a bit. I might try to soak up my free time with Yoga. Sarcastic, as doing yoga was replaced by bouldering in 2013. cooking vs. delivery-service: this will be a tough one. Currently I’m ordering way to much through the delivery service. In addition lots of the food eaten at home is just convinience food. I do not like the fact that delivery food is either way to expensive or unhealthy (or both). Then there are some “more of the same” resolutions: ...

With the year’s end comes the time for reviews and cleanups. Reducing cruft allows your mind to be free, with it comes a sense of closure and empowerement. Otherwise all my possessions would drag me down. Stuff I really like to do at this time is: review existing bank accounts and service contracts (like phone/internet/power plans). Reduce them to maintain some sense of control. Books: I hoard them even if most of them are not exactly Pulitzer-price materiel. I’ve read each of them but won’t read most of them again – so they’re mostly dead weight. There are places like public libraries or book sharing (i.e. Wortschatz in Vienna, Austria) places that love (and need) new books – sharing is caring. Add your books to the BookCrossing Index before sharing them and see where they have traveled and what people reading them think. Clothing drives. I try to make my garderobe work: so far I’m having far too many tshirts and am lacking other stuff (there’s not too much sense in having tshirts for four weeks when I’ll have to do my laundry every two weeks due to my trousers count). So I’ve imposed a new rule: when buying new clothes I have to donate at least on old cloth. old paper work: depending upon the jurisdiction you’re living under you might have to keep old (business) paper work. Here in Austria you’re allowed to discard paperwork after seven years – so each time at the end of the year I’m going through the archives and find stuff that is not needed anymore but still wastes space. There’s another problem: I hoard stuff. For example I own some rare bottles of whisky that are (by now) too expensive to drink. This is stuff that won’t go away easily. My solution is to give them as presents upon special occations. To prevent this situation from happening again I’m imposing some new rules: I won’t buy new Whisky when my existing collection is worth more than 600 Euro.

I’m contributing to a secure cloud project (well, it’s not that secure yet, but getting there..). It’s backend storage options include S3 so I want to test the S3-functionality against a locally installed S3 server. I first tried to utilize OpenStack Object Storage (Swift) or Riak, but both solutions were rather heavy-weight and cumbersome to setup. Bear in mind, that I just wanted some fake S3 storage server which would be deployed within a local network (without any internet connection). So security, authentication, performance was mostly moot. ...