Going Mobile

This blog is now mobile friendly! Just point your mobile browsers to http://m4dsk1llz.mofuse.mobi

Amazon EBS FTW!

Amazon Elastic Block Store (EBS) is basically a volume that you can create on demand. EBS volumes appear as block devices inside an EC2 instance. These volumes, ranging from 1GB to 1TB in size, can be attached to an EC2 instance, partitioned, formatted and then mounted just like any other file system. Each AWS account is entitled to 20 EBS volumes. You can attach many EBS volumes to an EC2 instance but an EBS volume can only be attached to one EC2 instance at a time.

The best thing with EBS is that data is persistent and volumes have redundancy built-in. If a drive on their SAN fails, you’ll still have your data. It’s not as reliable as S3, but it beats putting your data on EC2, where your files are lost once as instance is destroyed.
Just like EC2 instances, EBS volumes exist in a particular Availability Zone. The not-so-good thing about this is that you can only attach an EBS volume to an EC2 instance in the same Availability Zone, unlike S3. But you can’t mount an S3 bucket, right?

You can also make snapshots of EBS volumes. A snapshot is a backup of an EBS volume in a specific point in time. Snapshots are stored in S3. Making backups this way is more efficient than making a big tarball of the files you need to backup and sending them to S3. Your EBS volume is “frozen” the moment you call the snapshot command, unlike other means of transferring to S3 where data can be modified in the middle of a transfer. Making snapshots is also resource-effective since it does not use cpu cycles since it is not the instance that executes the creation of the snapshot. Snapshots are also incremental, which means you’ll save time and space. You can’t see EBS snapshots using the S3 API.

From http://wiki.rightscale.com/2._References/EBS/01-Overview_of_Elastic_Block_Storage_(EBS)

The costs of EBS will be similar to the pricing structure of data storage on S3. There are three types of costs associated with EBS.

Storage Cost + Transaction Cost + S3 Snapshots = Total Cost of EBS

• Storage Costs
  The cost of an EBS Volume is $0.10/GB per month. You are responsible for paying for the amount of disk space that you reserve, not for the amount of the disk space that you actually use. If you reserve a 1TB volume, but only use 1GB, you will be paying for 1TB.
  • • $0.10/GB per month of provisioned storage
• Transaction Costs
  In addition to the storage cost for EBS Volumes, you will also be charged for I/O transcations. The cost is $0.10 per million I/O transactions, where one transaction is equivalent to one read or write. This number may be smaller than the actual number of transactions performed by your application because of the Linux cache for all file systems.
  • • $0.10 per 1 million I/O requests
• Snapshot Costs
  Snapshot costs are compressed and based on altered blocks from the previous snapshot backup. Files that have altered blocks on the disk and then been deleted will add cost to the Snapshots for example. Remember, snapshots are at the data block level.
  • • $0.15 per GB-month of data stored
      $0.01 per 1,000 PUT requests (when saving a snapshot)
      $0.01 per 10,000 GET requests (when loading a snapshot)

NOTE: Payment charges stop the moment you delete a volume. If you delete a volume and the status appears as “deleting” for an extended period of time, you will not be charged for the time needed to complete the deletion.

Elasticfox has just been recently updated to add support to EBS.

Creating a new volume is fairly easy. Just click on the + button on the Volumes pane and a window will appear.

Enter the size (in GB) of the volume you’re creating and the Availability Zone of your EC2 instances. Since we’re creating a volume from scratch, Snapshot ID should be set to .

The next step is attach it to an EC2 instance. Select an instance from the drop-down box and enter the device name (what it will appear as within the EC2 instance).

Your EBS volume is now attached to your EC2 instance.

To make a snapshot of an EBS volume, right click and select Create a new snapshot from this volume. This might take a while depending on the size of the volume you created.

Since it is impossible to attach an EBS volume to more than 1 EC2 instance, you can clone it instead. Right click on the snapshot and select Create a new volume from this snapshot.

Enter the size of the volume and click Create.

The newly created volume will now appear under the Volumes pane with a SNAP ID this time.

All in all, Elastic Block Store is a great product from Amazon. We rely on EC2 for our non-production deployments with the fear of losing our data once an instance is killed. With the release of EBS, we can now put our data (usually webapps) to a volume instead of inside an EC2 instance .

What I need now is a strategy to cost-effectively use EBS. Our modified data (the ones not in the bundle) are scattered: virtualhosts definitions in /etc, Java webapps in /opt, RoR and PHP webapps in /var. At first I was thinking of creating symlinks. Let’s say one of our instances die. After launching another one from a bundle, I’ll just attach and mount the volume and create the necessary symlinks (ln -s /mnt/ebs/html /var/www/html).

This way we do not have to make constant backups from EC2 to S3. It is more efficient to create volume snapshots than to tar your /var/www/html and send it to S3 via s3cmd. Eventhough your data in EBS is persistent and has some form of redundancy, it’s still a good idea to make snapshots to S3.

I’m wondering how much Amazon will charge us if I create a volume out of a Linux distribution and chroot / it

Quoting Yanskie, “Thanks Amazon! You’re the best!”

The Peanut Reaction

We interrupt this program for a not so important announcement:

My driver’s license expires today Ü

And now, back to our regular programming.

Site-to-site IPSec VPN using OpenBSD

Another howto for the sake of posterity

Create /etc/ipsec.conf on Machine A

## machine A
# external IP: 111.111.111.111
# internal network: 192.168.1.0/24
## machine B
# eternal IP: 222.222.222.222
# internal network: 192.168.2.0/24

ike esp from 192.168.1.0/24 to 192.168.2.0/24 peer 222.222.222.222 psk supersecretpassphrase
ike esp from 111.111.111.111 to 192.168.2.0/24 peer 222.222.222.222 psk supersecretpassphrase
ike esp from 111.111.111.111 to 222.222.222.222 psk supersecretpassphrase

Create /etc/ipsec.conf on Machine B

ike esp from 192.168.2.0/24 to 192.168.1.0/24 peer 111.111.111.111 psk supersecretpassphrase
ike esp from 222.222.222.222 to 192.168.1.0/24 peer 111.111.111.111 psk supersecretpassphrase
ike esp from 222.222.222.222 to 111.111.111.111 psk supersecretpassphrase

Edit /etc/rc.conf.local on both machines

## start the isakmpd
isakmpd_flags="-K"
ipsec=YES

Allow VPN traffic on Machine A

vpn_net = "192.168.2.0/24"

pass in quick on tun0
pass out quick on tun0
pass in quick on $int_if from $lan_net to $vpn_net
pass out quick on $int_if from $vpn_net to any

Allow VPN traffic on Machine B

vpn_net = "192.168.1.0/24"

pass in quick on tun0
pass out quick on tun0
pass in quick on $int_if from $lan_net to $vpn_net
pass out quick on $int_if from $vpn_net to any

Reboot the machine to check if everything starts at boot

Runningi netstat -rn on Machine A should give something like:

Encap:
Source             Port  Destination        Port  Proto SA(Address/Proto/Type/Direction)
192.168.2/24     0     111.111.111.111/32   0     0     222.222.222.222/esp/use/in
111.111.111.111/32   0     192.168.2/24     0     0     222.222.222.222/esp/require/out
222.222.222.222/32    0     111.111.111.111/32   0     0     222.222.222.222/esp/use/in
111.111.111.111/32   0     222.222.222.222/32    0     0     222.222.222.222/esp/require/out
192.168.2/24     0     192.168.1/24     0     0     222.222.222.222/esp/use/in
192.168.2/24     0     192.168.2/24     0     0     222.222.222.222/esp/require/out

Jailbreaking 2.0.1

iPhone Dev Team just released PwnageTool 2.0.2. It supports jailbreaking and unlocking (1st gen only) of iPhone firmware 2.0.1. I upgraded to firmware 2.0.1 just a few days ago and it jailed my phone again. I dont really need the jailbreak. Since my phone is already unlocked, it’s more of a “nice to have” than a “badly needed” feature.

Jailbreaking and unlocking iPhones have become very trivial. Using Pwnage, just load the vanilla firmware from Apple and it will create a custom firmware. You will then restore your iPhone via iTunes using this custom firmware while in DFU mode.

The only thing I really really need from the jailbreak is the option to turn off auto-correction. The auto-correction feature does not only apply when creating SMS. Notes and Mail are also affected. I’m really having a hard time texting in Tagalog because of this auto-correction. I dont text in English. I dont text my boss in English. I dont text our expats. I dont text txtspk

Here’s what I installed from Cydia

BOSS PREFS
It provides an easy way to toggle your WiFi, EDGE, SSH, etc. You can also reboot or respring from here.

MOBILE TERMINAL
This has got the be the iPhone’s killer app, and it’s not even official! It’s not an SSH client. It’s not a telnet client. It’s a vt100 emulator. You can see and edit the whole filesystem. You can execute commands from the shell. OpenSSH, wget, curl, nmap, netcat, tcpdump have all been ported to the iPhone and made available through Cydia. You can use hand gestures to scroll up, scroll down, tab completion, ^C, etc.

Mobile Terminal on 2.0+ is still a little buggy compared to the 1.x version. Going to ‘config’ crashes the app.

SCUMMVM
This is an official port of LucasArts SCUMM interpreter, used in games such as Monkey Island, Indiana Jones, Day Of The Tentacle and Sam and Max. Only a few people appreciate these kind of games.

Klick

Klick is a Flickr client. Let the screenshots do the talking.

Klick is available for free at the App Store

PPTP on OpenBSD

I’m posting this for posterity’s sake. Tested on OpenBSD 4.2 and 4.3 servers and Win XP SP2, Mac OS X 10.5.2 and iPhone 2.0.1 clients

Download and install the Poptop package found here.

Create additional tunnel devices:

# cd /dev
# ./MAKEDEV tun? (where ? is the device number)

/dev/tun0 to /dev/tun3 exists by default. The number of devices here determines the number of concurrent users allowed

By default, Poptop looks for its configuration file in /etc/pptpd.conf. So let’s create that file now:

# pppd configuration file
option /etc/ppp/ppp.conf
# IP address of your server-side PPTP connection
# Should be from an unused subnet
localip 10.10.10.1
# IP address range of your PPTP clients
remoteip 10.10.10.100-200
# IP address where Poptop will bind to
listen 123.123.123.123
# PID file (can be used for monitoring)
pidfile /var/run/pptpd.pid
noipparam

Now, let’s create the pppd config file. It doesn’t have to be named like this. It can be /etc/ppp/shitballs.conf as long as you call it right in pptpd.conf

loop:
set timeout 0
set log phase chat connect lcp ipcp command
set device localhost:pptp
set dial
set login
set mppe * stateless
set ifaddr 10.10.10.1 10.10.10.100-10.10.10.200 255.255.255.255
set server /tmp/loop “” 0177

loop-in:
set timeout 0
set log phase lcp ipcp command
allow mode direct

pptp:
load loop
disable pap
disable chap
enable mschapv2
disable deflate pred1
deny deflate pred1
disable ipv6
accept mppe
enable proxy
accept dns
set dns 192.168.1.1
set nbns 192.168.1.1
set filter in 0 deny 192.168.1.0/24 0
set filter in 4 permit udp src eq 53
set filter out 4 permit udp dst eq 53
set filter in 6 permit 0/0 192.168.1.0/24
set filter out 6 permit 192.168.1.0/24 0/0
set filter in 7 permit icmp
set filter out 7 permit icmp
set filter in 8 permit udp dst gt 33433
set filter out 9 permit udp dst gt 33433
set device !/etc/ppp/secure

We also need to create the /etc/ppp/secure file and make sure it has the execute bit

#!/bin/sh
exec /usr/sbin/ppp -direct loop-in

The next file to create is /etc/ppp/ppp.secret. This contains the usernames, passwords and optionally, static IP of dial-in users

# username          password                           static IP
johndoe               mysupersecretpassword          *
janedoe               johnisgay                           10.10.10.150
admin                 secret                                        *

Secure the file. It should be mode 0400.
Remember to create ppp.log and reload syslogd:

# touch /var/log/ppp.log
# kill -HUP <syslogd PID>

There will be two syslogd processes running, so you need to kill the one running as root.

Add the following lines to /etc/rc.local to make Poptop run to start automatically after reboot.

if [ -x /usr/local/sbin/pptpd ]; then
echo -n ” pptpd”; /usr/local/sbin/pptpd -d
fi

Last but not the least, we need to allow traffic from pptp clients. Add these to your pf.conf and reload pf.

pass in quick on $ext_if proto tcp from any to $ext_if port = 1723 modulate state
pass in quick on $ext_if proto gre from any to $ext_if keep state
pass out quick on $ext_if proto gre from $ext_if to any keep state

pass in quick log on tun0 all
pass out quick log on tun0 all
pass in quick log on tun1 all
pass out quick log on tun1 all

It is a good practice to give the machine a reboot to see if everything went well.

NOTE: For Mac OS X clients (including the iPhone), edit your  /Library/Preferences/SystemConfiguration/preferences.plist file and change the value of CCPEnabled to 0