Fast VMware VCB Backups

Update 11th Mar 2010 : Less noisy output and retries backup request if it failed
Update
29th Nov 2009 : Major improvement to VM selection rules
Update
18th Nov 2009 : Bug fix release.
Update
15th Nov 2009 : Now handles zombie processes correctly so will terminate correctly when called from .cmd batch scripts.
Update
10th Nov 2009 : Now deletes old backup snapshots left behind by failed previous backups.

This is a new program which uses the VMware "Virtual Consolidated Backup" (or VCB) system to work, and will run on any Windows system. It is highly parallel, very fast and will easily saturate a 1Gbps network link. I have had performance of over 100Mbytes/second across our network, with a sustained rate of over 70Mbytes/second for several hours.

It is far faster than my previous JKFBackup.sh script mentioned in a previous article. It also does not require any ssh or other "unsupported" access to the VMware host server.

It takes a command-line parameter which is the full pathname of the configuration file that it uses. This can be surrounded in double-quotes (") if there are spaces in the path or filename.

Configuration


The configuration file is a simple text file:
  • All leading and trailing spaces are ignored
  • All blank lines are ignored
  • Comments start with a hash character (pound sign in the USA) like this "#" and continue to the end of the line
  • Each line must start with one of the following keywords, followed by its single parameter:
    • DIRECTORY : the full path, including drive letter, under which all the backups will be stored
    • HOST : the name of the VMware host server running the VMs to be backed up
    • USER : the username to access the VMware host server (usually root)
    • PASSWORD : the password for the stated USER
    • INCLUDE : backup this named VM. Use the “*” character as a wildcard to mean “0 or more characters” to specify several VMs
    • EXCLUDE : do not backup this named VM. Use the “*” character as a wildcard to mean “0 or more characters” to specify several VMs

The
INCLUDE and EXCLUDE lines work like rules in a firewall. A rule can match several VMs by using “*” wildcard characters in them. As a simple example, the line “INCLUDE kanga-*” would tell the program to backup all VMs whose names start with “kanga-”. The first rule that matches the name of the VM says whether it will be backed up or not. I strongly advise you put either “INCLUDE *” or “EXCLUDE *” as the last rule in the file, to specify the default action for any VMs that do not match any other rules, such as VMs that have been added since you updated the configuration file.

Currently the script uses a different directory for each day of the week, so you have the last week's worth of backups on the disk. If you want to change this, learn a little Perl and you will find the code is very simple and straightforward.

As an example, the backups for Thursday for the VM named "Dummy" will be stored in
DIRECTORY\Thu\Dummy.

If you want to backup several VMware host servers, then have a separate configuration file for each server. This script is currently aimed at relatively small vSpheres where you only have a few VMware host servers. If you have hundreds of VMware host servers, then please feel free to rip the script apart and use any bits of it you want. If you are prepared to let me include your improvements in a future release, then please
contact me!

To backup VMs as fast as possible, the script splits the list of VMs into 3 and does 3 backups simultaneously in parallel.

Data Recovery


Using VCB, data recovery is very simple. Just look in the directory named after the VM you want to restore, and use the VMware Standalone Converter to turn the files in there back into a VM on your VMware server. Easy as that!

Download


You can
download version 1.10 of VCBBackup.pl here.
I suggest you right-click on that link and choose "Save as..." to download the file.

It is written in Perl so you will need to install the free Perl distribution from
www.activestate.com. You will also need to download and install the "VMware Consolidated Backup" distribution from VMware, which you should be able to access if you have purchased VMware products.

My Setup


I do my backups onto a little Dell 860 1U rackmount server running Windows Server 2008R2 x64. It backs up to cheap external disk connected via a Firewire-800 interface. This is quite sufficient and can maintain over 700 Mbits/second backup speed.

Every couple of nights I swap out the hard disk and take it off-site. That provides us with backups of the last fortnight with some off-site storage.

Feedback


I always welcome constructive feedback, and suggestions and requests for new features. If you need any help, just
contact me!
Comments

VMware vSphere Client in Parallels Desktop

This is a quick solution to a problem I suffered, and thought it was a bug in Parallels Desktop for Mac. You run the vSphere Client application, open a Console to a virtual machine, and after that all your Windows keystrokes and mouse clicks go into the Console and not into any other Windows applications at all, not even the taskbar or Start menu.

The key is that the vSphere Client uses the same "Ctrl Alt" key combination to get out of the console, as does Parallels to get out of Windows programs.

When running in Coherence or Crystal mode, you never really need this key combination as it works automatically anyway when you click in any other Mac application.

The solution is to change the Parallels "Release Input" key combination. Get out of Crystal mode, then go to the Parallels / Preferences window. Select the "Keyboard & Mouse" pane of the dialog box, and work through each Profile in turn. In each profile, set the key combination for "Release Input" to "Cmd-Ctrl-Space" (that's what I used).

Then quit and re-run Parallels and you will find the problem has gone away.
Comments

Add cron Job to VMware ESX/ESXi

This explains how to add a cron job to VMware in such a way that it will still be there after reboots.

Having
enabled ssh access to your ESX/ESXi server, ssh in as root.

Firstly, add the cron job to the root crontab:
  1. Edit /var/spool/cron/crontabs/root
  2. Add the line (all on one line)
    5 0 * * * /full/path/to/script arguments/with/full/path > /full/path/to/logfile 2>&1
  3. Run the command "cat /var/run/crond.pid"
    That will print the process number of the running crond, such as 12345
  4. Run the command "kill 12345"
    where "12345" should be replaced with the number output by the previous command

For details of the meaning of "5 0 * * *" (5 minutes past midnight every day) read the man page for crontab(5) on any Unix/Linux server, or else
on the web.

Now, add a command to
/etc/rc.local to re-generate the cron job when ESX/ESXi reboots
  1. Edit /etc/rc.local, using a command such as "vi /etc/rc.local".
  2. At the end of the file, add 3 lines (using "G" then "O" in vi). The first kills crond, the second adds the new cron job to the root crontab file, ad the third restarts crond:
    /bin/kill $(cat /var/run/crond.pid)
    /bin/echo '5 0 * * * /full/path/to/script arguments/with/full/path > /full/path/to/logfile 2>&1' >> /var/spool/cron/crontabs/root
    /bin/busybox crond
  3. Save and exit the editor (Press the "Esc" key then ":wq" then press "Return" in vi)
  4. Run the command "auto-backup.sh" so that the change to /etc/rc.local survives a reboot.

Every time you change the cron job, remember to update
/etc/rc.local as well and run the "auto-backup.sh" command to backup the new /etc/rc.local file.
Comments

Enable SSH access in VMware

This simply describes how to enable ssh access to a VMware ESX or ESXi server.
  1. From the ESX/ESXi console press Alt-F1.
  2. Type in the word unsupported and press return (nothing will appear as you type).
  3. Type in your root password.
  4. Edit the /etc/inetd.conf file by typing the command "vi /etc/inetd.conf".
  5. Scroll through the file (j=down, k=up) until you find the line that starts "#ssh" and delete the "#" symbol by pressing "x" and save the file by typing ":wq". If you make a mistake then type ":q!" and press return, and start editing it again.
  6. Type the command "exit".
  7. Press Alt-F2.
  8. Reboot the ESX/ESXi server.

Now you will be able to "ssh root@<your-ESX/ESXi-server-name>" from a Unix/Linux prompt, or use "PuTTY" on Windows to connect to it as the user "root" with your root password.
Comments

VMware Backups

Update: I have now written another backup script which is based on VMware Consolidated Backup (VCB) which you can download from VMware for Windows systems. It is about 10 times faster at backing up than JKFBackup.sh and will totally saturate a 1Gbps ethernet link. I can get networked backup speeds of 100Mbytes/second with it!

I have written my own script to backup VMware volumes. On a vSphere, it can mount all the datastores available on a node simply by running on that node. It backups to an NFS datastore which it will optionally mount and dismount for you. It will also optionally backup just VMs that are powered on, VMs that are powered off and templates, and compress the virtual hard disk files.

As far as I am aware it probably does not yet handle a VM that is spread across several datastores, it assumes the files are kept together in one directory for each VM.

It was written to suit our environment, and we don't spread a VM across several datastores. Happy

The usage is
JKFBackup.sh [ --off ] [ --on ] [ --compress ]
or
JKFBackup.sh --help
to get the command-line usage.

--off tells it to backup templates and VMs that are powered off.
--on tells it to backup VMs that are powered on.
--compress tells it to compress the virtual hard disk files of the VMs and templates that is backing up.
The 3 command line options may be specified in any order.

There are a few things you will need to set in your script to fit your local environment, these are documented at the top of the script so you can quickly get started. These defined the NFS datastore where you want all the backups to go, what backup rota you want, and what datastores to backup. It's all pretty obvious.

To get this onto your VMware server you will need to
enable ssh logins, and if you want it to run regularly then you will need to add it to your root crontab.

You can download version
1.00 of the script. Note that you should not try to edit it on Microsoft Windows systems, certainly not using Notepad, as it is a Unix text file and the line-ending characters are different so Windows will tend to screw the file completely. Learn the basics of using the "vi" text editor and edit it on your VMware server. You will need to edit it a little bit to set it appropriately for your VMware organisation.

Install the script within
/vmfs/volumes/*. In other words, it must be stored on one of your VMware datastores. Otherwise it will be automatically deleted every time your ESX/ESXi server boots as part of its house-keeping. If you store it in one of your datastores it will be left alone when the server boots up.

Don't forget to back up your backup scripts!

When you come to need to recover from a backup, copy the files back onto your VMware server using the "Browse datastore" functionality, then uncompress the
.vmdk.gz files if necessary using the "gunzip" command while logged into your ESX/ESXi server using ssh or PuTTY, then register the .vmx files by right-clicking on them in the "Browse datastore" function in the vSphere client. That will re-register your restored virtual machines.
Comments

ScamNailer.ndb

I have made the ScamNailer database of phishing email addresses available as a ClamAV ".ndb" signature database file. All you need to do is download the file from http://www.mailscanner.eu/scamnailer.db once every hour and put it into your ClamAV "Database Directory" which is defined in your clamd.conf and/or freshclam.conf file. It's usually somewhere like /var/clamav. Then tell your clamd to reload its database (sending it a "kill -HUP" should do the trick) so it knows something has changed.

Note: Please do not download this file more than once every hour, it does not change that frequently and you will overload my poor little web server!
Comments

VMware Converter - Converting an Existing Windows System

The Converter is a client/server program, where the converter server runs on ecsvm-admin.ecs and the client can run anywhere, such as win-admin.

Firewall Rules
If the source physical Windows system is in the DMZ, you will need to add a couple of rules to the firewall "Short-Term Rules" section allowing all traffic from ECS-internal to the source host and from the source host to ECS-internal. You should remove these rules again once the conversion has completed.

Starting the Conversion
Start the VMWare Converter Standalone Client program.
IP Address/Name = ecsvm-admin:7443
Username = administrator (or your own sys* username if you are registered on the vSphere with an account).
Password = Windows-infrastructure password

Click the "Convert Machine" button in the toolbar.
Source type = Powered-on machine
Give remote machine full hostname.
Give username and password of a user in the "Administrators" group on the source Windows system, such as the "ECS2000\administrator" account and domain password..
OS Family = Windows.
Next.

It should connect to the source physical system.
If it fails, then give it the IP address of the source physical system instead of the name of it.
If it still fails, then Remote Desktop to the source physical system, download the converter (from browsing the datastores starting at http://ecsvm-admin.ecs.soton.ac.uk/) and install the converter agent (not the client/server setup) onto the source system, then run it again from there.
When it asks for the name of the source system to convert, give it the IP address of the source system (which is the same system you are now running the Converter on).

Tell it to automatically uninstall the files when the import succeeds.
It will then deploy the agent, which takes a few seconds.

VMware Infrastructure server details:
Server = ecsvm-admin
Username = administrator (or your sys* username if you have an account on vSphere).
Password = Windows-infrastructure password (or yours).
Next.

Select host to run the VM on = ecsvm-admin1.ecs.soton.ac.uk.
Virtual machine name = short hostname (eg. major-backup).
Datastore = infrastore1-Vol2 (an infrastore volume with plenty of free space).
Virtual machine version = Version 7.
Next.

Options
Destination Attributes: Name = short hostname, Folder = ecs
Data to copy: Click "Advanced...", then "Target Layout...".
Set all large, non-swap filesystems to "Thin provisioning" (this is "Dynamic disks" in Microsoft speak, where only the disk space in use is actually allocated on disk, used disk space expands as necessary to hold the data, up to the maximum set by the size of the filesystem).
Set the Size of the normal large filesystems (eg. "C:") to a reasonable number, no point in making them huge, most will fit in 60Gbytes.
Switch to the "Source Volumes" tab to see how much space is actually in use at the moment.
Normally set C: to thin provisioning, 60GBytes or more.
It is important not to waste disk space on Flat-provisioned disks that are not going to use all their space. Disk is relatively expensive.
Devices: Numer of processors = 1.
Disk controller = SCSI LSI Logic or SCSI Buslogic.
Memory = usually the default will be fine.
Networks: Network adapters to connect = 1
Set the network for the network adapter to be the same Virtual Machine Network VLAN as the physical machine you are converting.
The new virtual machine will take over the IP address of the physical source machine.
Services: Source Services: switch off services that should not be left running when the VM is created (such as SQL Server or WWW Publishing Service, and Hyper-V services if moving from Hyper-V to VMware). Destination Services: set all Hyper-V services to "Disabled".
Advanced Options: Power on target machine = yes
Power off source machine = yes
Install VMware Tools on the imported virtual machine = yes
Configure guest preferences for the virtual machine = no
Remove System Restore checkpoints on destination = yes
Reconfigure destination virtual machine = yes

Next.

It should now just show you the final option settings and then start the process of converting the host. Wait for the whole process to finish before touching either the source (physical) or destination (virtual) machines.

How long it takes depends on the quantity of data that has to be moved. You can expect about 20 to 25 MBytes/second conversion speed. A machine with about 7GB of used disk takes about 25 minutes to convert.

As the process is run by the Converter Server (running on ecsvm-admin), it doesn't matter if you quit the Windows app used to watch the process, you can track the progress of the conversion from the Converter Windows app running on any PC.

After the Conversion has Finished
Open a console on the new VM.
In the "VM/Guest" menu, install the VM tools. This will insert a CD into the virtual CD drive, what happens then is dependent on the Windows Autoplay preferences in the virtual machine.
This will force a restart of the virtual machine.

Shutdown the virtual machine.
Once the VM has stopped, edit the settings of the VM and choose the middle "Options" tab. In the "VMware Tools" settings, right at the bottom right of the dialog there is an option to "Synchronize guest time with host". Tick this box.
Okay that, then power on the VM.
It should successfully boot.

The VM should now be fully running happily and serving its services to the users.

Now just remove the two temporary firewall rules you added at the start of this process.
Comments

VMware Converter - Converting an Existing Linux System

The Converter is a client/server program, where the converter server runs on ecsvm-admin.ecs and the client can run anywhere, such as win-admin.

Firewall Rules
If the source physical Linux system is in the DMZ, you will need to add a couple of rules to the firewall "Short-Term Rules" section allowing all traffic from ECS-internal to the source host and from the source host to ECS-internal. You should remove these rules again once the conversion has completed.

Before You Start
On the final virtual machine, you will need to install the VMware tools and set the VM settings to synchronise the time on the VM with that of the ecsvm-admin server. So you won't want ntpd to be running. Also, you are going to need to reboot the VM at least once after you have converted it, so stop and disable the primary user services (e.g. httpd, mysqld) that are running on the server. You can start up the user services again as the last step after getting the VM Linux system running. So I would start with
service ntpd stop
service httpd stop
service mysqld stop
chkconfig ntpd off
chkconfig httpd off
chkconfig mysqld off
Also, if the physical source machine is actually a Windows 2008 Hyper-V VM, then you will want to do the same to the "inputvsc" service, and copy the seth0 device settings to eth0 (remembering to change the device name in /etc/sysconfig/network-scripts/ifcfg-eth0 after copying the ifcfg-seth0 file onto it) as VMware will use the eth0 device and not the seth0 device.

Once running in VMware, the kernel will need to be able to "probe" the disk controllers in order to be able to find the controller types. So in /boot/grub/grub.conf, edit the kernel command line arguments and remove any settings that set "hda=noprobe" or similar. You don't need to reboot after this change, this will be applied once the VM conversion has finished and VMware starts the new VM.

Starting the Conversion
Start the VMWare Converter Standalone Client program.
IP Address/Name = ecsvm-admin:7443
Username = administrator (or your own sys* username if you are registered on the vSphere with an account).
Password = Windows-infrastructure password

Click the "Convert Machine" button in the toolbar.
Source type = Powered-on machine
Give remote machine full hostname.
Give root username and password.
Next.

VMware Infrastructure server details:
Server = ecsvm-admin
Username = administrator (or your sys* username if you have an account on vSphere).
Password = Windows-infrastructure password (or yours).
Next.

Select host to run the VM on = ecsvm-admin1.ecs.soton.ac.uk.
Virtual machine name = short hostname (eg. gander).
Datastore = infrastore1-Vol2 (an infrastore volume with plenty of free space).
Virtual machine version = Version 7.
Next.

Options
Destination Attributes: Name = short hostname, Folder = ecs
Data to copy: Click "Advanced...", then "Target Layout...".
Set all large, non-swap filesystems to "Thin provisioning" (this is "Dynamic disks" in Microsoft speak, where only the disk space in use is actually allocated on disk, used disk space expands as necessary to hold the data, up to the maximum set by the size of the filesystem).
Set the Size of the normal large filesystems (eg. "/") to a reasonable number, no point in making them huge, most will fit in 40Gbytes.
Switch to the "Source Volumes" tab to see how much space is actually in use at the moment.
Normally set / to thin provisioning, 40GBytes, leave /boot and swap alone.
Devices: Numer of processors = 1.
Disk controller = SCSI LSI Logic or SCSI Buslogic.
Memory = usually the default will be fine.
Networks: Network adapters to connect = 1
Set the network for the network adapter to be the same Virtual Machine Network VLAN as the physical machine you are converting.
The new virtual machine will take over the IP address of the physical source machine.
Advanced Options: Power on target machine = yes
Power off source machine = yes
Reconfigure destination virtual machine = yes
Helper VM Network: Look up the IP address of the host "ecsvm--helper" which is a spare IP address unused by anything else in the same "" as the physical host you are converting. There are currently hosts defined such as "ecsvm-systems-helper", "ecsvm-dmz-helper" and "ecsvm-servers-helper". The IP configuration parameters and DNS setup for the Helper VM Network must all be consistent with its IP address. This "helper" machine is a temporary system setup by the VMware Converter just for use during the process of converting a Linux box, it disappears again at the end.

Next.

It should now just show you the final option settings and then start the process of converting the host. Wait for the whole process to finish before touching either the source (physical) or destination (virtual) machines.

How long it takes depends on the quantity of data that has to be moved. You can expect about 20 to 25 MBytes/second conversion speed. A machine with about 7GB of used disk takes about 25 minutes to convert.

As the process is run by the Converter Server (running on ecsvm-admin), it doesn't matter if you quit the Windows app used to watch the process, you can track the progress of the conversion from the Converter Windows app running on any PC.

After the Conversion has Finished
Open a console on the new VM.
In the "VM/Guest" menu, install the VM tools.
mount /dev/cdrom /mnt
cd /tmp
tar xzf /mnt/VM*
umount /mnt
cd vmware*
./vmware-tools-install.pl
Accept all the defaults. It will find suitable modules for your kernel, or else will compile them itself, and build a new initrd, grub.conf and modprobe.conf for your kernel.
Assuming that succeeded, then
shutdown -h now
Once the VM has stopped, edit the settings of the VM and choose the middle "Options" tab. In the "VMware Tools" settings, right at the bottom right of the dialog there is an option to "Synchronize guest time with host". Tick this box.
Okay that, then power on the VM.
It should successfully boot.

The only remaining tasks are to enable and start up the user services, but 
not ntpd.
chkconfig mysqld on
chkconfig httpd on
service mysqld start
service httpd start

The VM should now be fully running happily and serving its services to the users. If you prefer, you can always reboot the VM again instead of running those last two "service ... start" commands to prove it is all okay and booting correctly.

Now just remove the two temporary firewall rules you added at the start of this process.
Comments

Run iPulse Without a Password Prompt

The latest version of iPulse runs very nicely in Snow Leopard. Great. Except that every time you start it you have to type in your password! What a pain. So this will tell you how to avoid having to type in your password every time you start iPulse, which is probably every time you login.

Open a Terminal (it's in /Applications / Utilities).
Run the command "sudo visudo".
It will prompt you for your password, so type it in. Oh, you need an Administrator account to be able to do any of this, sorry.
Press G (capital G) to go to the bottom of the file, then press o (little Oh, not a zeo) to open up a new line.
Enter the following line, changing "jkf" for the "short name" of your account:

jkf ALL=NOPASSWD: /Applications/iPulse.app/Contents/MacOS/iPulse

Press "esc" to stop editing. If anything went wrong, type ":q!" and press return to quit without saving. If the line looks okay, type ":wq" and press return to save and exit.

Now your Mac knows you can run iPulse as an administrator without a password.

Because iPulse will be running as the root user, it needs to know what Jacket to load when it starts. So back into the Terminal window.
This time type this command, all on 1 line:

cd ; sudo cp Library/Preferences/com.iconfactory.iPulse.plist /var/root/Library/Preferences

Next stop is the AppleScript Editor (it's in /Applications/Utilities). We're going to create a little application that joins everything together.
Create a new script. Paste the following line into it, noting that it should be pasted in all on 1 line, though the editor will word-wrap it to make it look pretty.

do shell script "SUDO_ASKPASS=/usr/bin/true /usr/bin/sudo -b -n /Applications/iPulse.app/Contents/MacOS/iPulse </dev/null &>/dev/null"


Click on the "Compile" button to make it look nice, it shouldn't produce any errors.
Using File / Save As..., save this as an Application in /Applications with a neat name like "Start iPulse".

If you try to run this new application, you should see iPulse start without asking for a password! Yay!

Nearly there.
Now just go into System Preferences / Accounts / Login Items, click the little "+" button at the bottom of the list of appications to start when you login, and add your new "Start iPulse" application.

Now you are all set. Try logging out, then login again and you should find that iPulse starts up without asking for a password.
Comments

Installing Windows 7

This is a highly-polished installation of Windows 7. It has been used mostly on Dell laptops, but is not hardware-specific at all. This will produce a very nice, usable installation of Windows 7 containing the basic software that most people need for everyday office and travel use.

Customising a Windows 7 Enterprise Installation

Boot off Windows 7 Enterprise DVD
Choose English (United Kingdom)
Custom install
Advanced drive options, delete all partitions
Leave it to install

User account
  - Username "User"
  - Computer name: "Dell " + the model number
  - Password "password"
Updates
  - Use recommended settings
Time Zone
  - UTC
Wireless Network (if presented)
  - Use ECS-WLAN, tick "Start this connection automatically"
  - Work Network

Start / Computer / Properties
  - / Advanced / Computer Name - Change suffix to ecs.soton.ac.uk
  - / Remote - Untick Allow Remote Assistance Connections

ECS VPN
  - staffvpn.ecs.soton.ac.uk
  - Name "ECS vpn"
  - Allow other people to use
  - Don't Connect
  - No username or password, leave all blank

Start Menu Properties
  - Power button: Hibernate
  - Untick "Store and disp... and the taskbar"
  - Customize
    - Control Panel - menu
    - no Default Programs
    - no Music
    - no Open submenus when I pause
    - no Pictures
    - yes Run Command
    - System Administrative Tools on All Programs menu
  - Toolbar tab
    - no Lock the taskbar
    - Notification area: customise and Always show all icons

Control Panel / Personalization
  - Window color / Advanced Appearance settings
    - Border Padding = 0
    - Active Title Bar = minimum allowed
  - Desktop background
    - Picture location = Top Rated Photos
      - Untick all except penguins
  - Left-hand pane / Change desktop icons
    - Hide all

Control Panel / Action Center
  - Left-hand pane / Change User Account Control settings
    - Change to bottom level + 1

Control Panel / Autoplay
  - no Use AutoPlay for all media and devices

Control Panel / Folder Options
  - Navigation Pane / yes Show all folders
  - View tab
    - Hidden files and folders - Show hidden files
    - no Hide Empty Drives
    - no Hide Extentions
    - no Hide protected operating systems files

Control Panel / Internet Options
  - Home page = https://secure.ecs.soton.ac.uk/community/
  - Search / Settings...
    - Find more search providers...
      - IE8
        - yes Use Suggested sites
        - yes Use express settings
      - Search the gallery for "google"
      - Search with Google United Kingdom
        - Add to Internet Explorer
      - Google Search Suggestions
        - Add to Internet Explorer
        - yes Make this my default
        - yes Use search suggestions
      - Close IE
    - yes Prevent Programs
  - Tabs / Settings...
    - no Warn me when closing multiple tabs
    - yes Always switch to new tabs
    - yes Always open pop-ups in a new tab
  - Security tab
    - Custom level
      - Display mixed contents = Enable (just over half way down)
  - Programs tab
    - HTML Editor = Notepad

Control Panel / Power Options
  - Require a password on wakeup
    - When I press the power button = hibernate, Shut down
    - Change settings that are currently unavailable
      - Don't require a password
  - Choose when to turn off the display
    - Plugged in = never, never, never

Control Panel / Programs and Features
  - Turn Windows features on or off
    - Printing and Document Services
      - no Internet Printing Client
      - no Windows Fax and Scan
    - no Remote Differential Compression
    - no Tablet PC Components
    - yes Telnet Client
    - no Windows Gadget Platform
    - no XPS Services
  - Restart later.

Control Panel / User Accounts
  - Change your picture
    - Choose the kitten Happy

Restart Windows.

Start Windows Explorer
  - Organise / Layout / Menu bar
  - find Recycle Bin / Properties
    - no Display delete confirmation dialog

Firefox
  - www.mozilla.com
  - Standard Install
  - yes Launch on completion
  - Don't import anything
  - Tools / Options
    - Main
      - Home page = https://secure.ecs.soton.ac.uk/community/
    - Tabs
      - no Warn me when closing multiple tabs
      - yes When I open a new tab
  - Quit Firefox
  - Quit and restart IE
    - When it asks about being default browser
      - no Always perform this Check
      - Click "No" button
    - Right-click on Favorites bar and untick the Favorites bar

Adobe Acrobat Reader
  - Button on right side of www.adobe.com
  - Scroll down the download page and untick all "Also install"s
  - Allow the add-on to install
  
Adobe Flash Player
  - Button on right side of www.adobe.com
  - Scroll down the download page and untick all "Also install"s
  - At end of installation manager, Firefox will start and need to install Flash plug-in.
  - Quit Firefox and IE

Office 2007
  - Install from DVD
  - Get activation code from https://secure.ecs.soton.ac.uk/kb/entry/68/
  - Thump the big Install button

Sophos
  - Use IE to go to www.sophos.ecs.soton.ac.uk
  - Install and run "Sophos 7 Remote Installer for Windows" (35MB)
  - Allow to put temporary files in c:\savwsa
  - In user details page of wizard:
    - Address = http://www.update.ecs.soton.ac.uk/esxp/
    - Username = ecs2000\your-username
    - Password = your-Password
    - no Access the update source via a proxy
    - yes Remote third-party security software
  - Right-click tiny Sophos taskbar icon and "Update now"
  
    
Putty
  - Google for "putty" and download Putty, pscp, psftp & pageant
  - Download into C:\Users\User\Downloads
  - Move then into C:\Windows
  - Right-click Putty.exe, paste a shortcut in C:\Users\User\AppData\Roaming\Microsoft\Windows\Start menu\Programs
  - Rename shortcut to "Putty"

Device drivers
  - Open Device Manager
  - Check for unknown devices
  - If mouse is just a PS/2 mouse, get Vista driver from www.synaptics.com
  - Dell Mini 12 Vista drivers often work on a Windows 7 Dell Mini 9
  - You can only download 1 driver at once from Dell!
  - Download any drivers necessary from www.dell.co.uk to make all unknowns vanish
  - Install ControlPoint if necessary to make fingerprint reader work

Control Panel / Folder Options
  - View tab, yes Don't show hidden files, folders or Drives

Control Panel / Windows Update
  - Get updates for other Microsoft products
    - Agree and install
  - Check for updates
  - Optional Updates
    - Don't install Windows Live Essentials or any Language Packs
  - Install all other updates
  - After updates are complete, retry if any failed
  - Restart Windows
  - Check for updates again and install all new updates (there will be some)
  - Rinse and repeat until no new updates are found

Control Panel / System
  - Change product key (right at the bottom)
  - Get activation code
    - Staff: https://secure.ecs.soton.ac.uk/kb/entry/68/
    - Students: Microsoft e-Academy
  - That will activate Windows
  - System Protection (left pane of window)
    - Configure... / Delete

Taskbar
  - Right-click on Windows Media and IE in the taskbar and "unpin"
  - Firefox and Outlook
    - Right-click on them in the Start menu
    - Pin to taskbar
  - Make order (left to right) Start, Firefox, Outlook, Windows Explorer

Start Menu
  - Right-click Firefox and "Pin to Start Menu"
  - Right-click Outlook and "Pin to Start Menu"

Clean Up
  - Start menu
    - Right-click on each icon, select "Remove from this menu" for most
    - Leave only Getting Started, Connect to a Projector
  - Control Panel / Internet options
    - Browsing history / Delete... / tick all boxes
  - Firefox
    - Tools / Clear Recent History... / Everything
  - Desktop
    - Delete all icons, files and directories
  - Filesystem
    - Delete C:\Dell, C:\savwsa, C:\PerfLogs
  - Windows update
    - Start / Administrative Tools / Services
    - Stop "Windows Update"
    - Delete the whole of C:\Windows\SoftwareDistribution
    - Start "Windows Update"
  - Recycle Bin
    - Empty Recycle Bin

Control Panel / Windows Update
  - Get updates for other Microsoft products
    - Agree and install
  - Optional Updates
    - Right-click on each Language Pack and "Hide update"
    - Okay and close window

Restart the PC

Backup system image to external hard disk (Control Panel / Backup and Restore / Create a system image), having checked there is no "WindowsImageBackup" dir in the root directory. If there is, first move it back to its home in a sub-dir if present. Backup will create a new "WindowsImageBackup" directory in the root directory of the external disk.

You're done!
Comments

Install VMware Tools on a Linux Client

First, log in to the VM as root and "yum update".
Then "yum install gcc make binutils kernel-devel kernel-headers".
Then reboot the VM.
Then start up the vSphere Client, right click on the VM and choose Guest - Install VMware Tools.
Back into the VM's root session.
mount /dev/cdrom /mnt
cd /tmp
tar xzf /mnt/VM*
umount /mnt
cd vmware-tools-distrib
./vmware-install.pl
Accept all the defaults, and let it do everything it wants. If you have a fully updated and correct system, it should install flawlessly.

Check the "ifconfig -a" and ensure that all the network devices that exist have startup scripts in /etc/sysconfig/network-scripts/ifcfg-eth*.

Go into the vSphere Client again and right-click on the VM. Look in the "Guest" sub-menu and tell it to stop installing the VMware Tools if it offers you that.

Reboot the VM.

If you have problems...

The most likely problem is that you are running an el5xen kernel or some other xen kernel, which you don't want to be doing.
Once you've done a yum update, take the xen kernel you are running (uname -a will tell you) and do something like this:
yum install kernel-2.6.18-164.el5
Then edit /boot/grub/grub.conf and ensure that the "default=" setting at the top is set to boot the kernel you just installed and not the xen kernel (they start numbering from the top of the file from 0).
Then reboot so you are running the non-xen kernel.
Then
yum install kernel-devel-2.6.18-164.el5
Then re-run /tmp/vmware-tools-distrib/vmware-install.pl and if it asks you for the kernel headers location, give it
/usr/src/kernels/2.6.18-164.el5/include
But you will most likely find that it just happily works on its own!
Then just reboot to pick up all the VMware tools in a fresh boot.
Comments

VMware Converter Fails for Linux Client

You need to change the installed SCSI controller to be a LSI Logic controller. The original machine may have been configured for a Transtec 3Ware SCSI controller.

The main relevant article is here:
http://tipstricksandmore.blogspot.com/2009/01/after-converting-physical-rhel4-system.html

Once the VM has been converted, you can change the hardware of the VM in the "Edit Settings..." menu from right-clicking on the VM. You can only change it when the VM is powered off.

Edit the VM settings and connect the DVD drive to a "Datastore ISO File": infra1-localDisk/vSphere Management Assistant/rhel-5-server-i386-dvd.iso.
Set the Device Status to "Connected" and "Connect at power on".
In the VM options page, set it to go into the BIOS setup at next boot.

Open a console on the VM and power it on. It will go into the BIOS setup.
In the "Boot" BIOS menu, select the DVD drive and press + to move it to the top.
Save and exit the BIOS setup.

It will boot from DVD.
Enter "linux rescue".
You don't need any network interfaces.
Let it look for the installed system to mount under /mnt/sysimage.

chroot /mnt/sysimage
Replace hda with sda in /etc/fstab, /boot/grub/device.map and /boot/grub/grub.conf
grub-install /dev/sda

Make sure /etc/modules.conf is empty or non-existent.

Edit /etc/modprobe.conf and set
alias eth0 pcnet32
alias eth1 pcnet32
alias scsi_hostadapter mptbase
alias scsi_hostadapter1 mptscsih

Work out the full path to the initrd image you are going to rebuild. They are in /boot and are called initrd*.
The /boot/grub/grub.conf will point to the right one.
So in my example it is "/boot/initrd-2.6.18-128.7.1.el5xen.img".
There should be a directory under /lib/modules called the same version number.

Then you use a command like this to rebuild it
mkinitrd -v -f /boot/initrd-2.6.18-128.7.1.el5xen.img 2.6.18-128.7.1.el5xen

exit
reboot

Press Esc to get the boot menu and force it to boot from the hard disk.
Hopefully it will boot this time!

Shut it down again, edit the VM settings and set the DVD drive back to "Client Device".
Boot your VM normally.
Comments

VMware Hot Clone of an Existing System

This article describes how to create a VMware virtual machine from an existing live (Windows) system.
The same process should work with Linux but I've not tested it yet.

Starting the Client
1. Open a Remote Desktop session to ecsvm-admin.ecs.soton.ac.uk and login as ecs2000\administrator
2. Start the VmWare Converter Standalone Client on ecsvm-admin.  Start --> All Programs --> VMWare --> Converter Standalone Client
3. Select "Connect to local Server" and click ok.
4. The client software should start Happy

Creating the VM
1. Click the "Convert Machine" button  (towards the top left)
2. Select the "A Remote machine" radio button
3. Enter the IP address of the machine to be cloned
4. Enter the user ID and password of an Administrator on the machine being cloned
5. Click Next
6. You should see a prompt asking if you want to "Automatically uninstall" the agent software when the clone has finished. Select the option and click Yes.
7. It'll now wait while the client agent is installed.

8. Next you're prompted for the VMware Virtual Infrastructure details:
Server=ecsvm-admin.ecs.soton.ac.uk
User Name=ecs2000\administrator
 9. You should now see a view of our VI Infrastructure:
a. Click server "ecsvm-infra1.ecs.soton.ac.uk"
b. Select one of the infrastore1 disk volumes for the datastore
c. Type the virtual machine name you want to use (normally just the host name and not the FQDN)

10. Click next
11. You now get a chance to configure the VM "hardware" and select which disks to clone etc
12 Click Next

13. Click finish and the clone should start.


14 After the clone has finished you need to make sure the VM is connected to the correct virtual network:
Using the Vsphere client right click on the VM and click edit settings.
Click the network adapter, choose the correct network in the list box and click OK.
15. Install/Upgrade VMware tools:
Using vSphere client right click on the VM and click Guest --> Install/Upgrade VMware tools
Comments

vSphere Client will not Run on Windows 7

When you start the vSphere Client on Windows 7, you get an error about it being unable to read the "clients.xml" file, followed by an another error "The type initializer for "VirtualInfrastructure.Utils.HttpWebRequestProxy" threw an exception".

The workaround is this:
  • Create a folder (e.g. Lib) in the Windows 7 machine where the vSphere client is installed (%ProgramFiles%\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\).
  • Obtain a copy of %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\System.dll from a non-Windows 7 machine that has .NET 3.5 SP1 installed. Copy this file into the folder created in Step 1.
  • In the vSphere client launcher directory, open the VpxClient.exe.config file in a text editor and add a <runtime> element and a <developmentMode> element within the <configuration> element. Save the file.
  • <?xml version="1.0" encoding="utf-8"?>
    <configuration>
    ...
    <runtime>
    <developmentMode developerInstallation="true"/>
    </runtime>
    </configuration>

  • Create a batch file (e.g. VpxClient.cmd) in a suitable location (e.g. Desktop). In this file add a command to set the DEVPATH environment variable to the folder where you copied the System.dll assembly in step 2 and a second command to launch the vSphere client. Save the file.
  • SET DEVPATH=%ProgramFiles%\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\Lib
    "%ProgramFiles%\
    VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe"
NOTE: If you are running 64-bit Windows, replace all instances of Program Files with Program Files (x86).
You can now use the VpxClient.cmd (or the shortcut) to launch the vSphere client in Windows 7.
This workaround bypasses the normal .NET Framework loading mechanism. Assembly versions found in the DEVPATH folder are not checked. 
Comments

Tethering on 3G / 3GS iPhone

You obviously need iPhone OS 3.0 first, or else none of this is ever going to work.
It is dead easy, use your iPhone Safari to go to
http://help.benm.at/, choose your carrier and install the profile.
Then go into Settings / General / Network / Internet Tethering and switch it on.
Your iPhone will go a pretty blue colour when it starts tethering.
On a Mac, just plug the iPhone in, or connect with Bluetooth and it will automatically detect the new network interface.
On a Windows PC, you need to download the “
PDANet Desktop Client” to use it.

For more information, go
here.

Update 2009-06-18: The guys at Benm.at set the APN wrong in their settings file, their one will work but it will be trivial for O2 to find you have installed the file. If you use my version instead, then they won’t see any change in your APN settings. Point your iPhone at this page and follow this link to install my version.
Comments

Anti-Phishing and Spear-Phishing Version 2

Update 11 October 2009: This has now been moved to www.ScamNailer.com. Please check there for all future information and updates to this package.

Update 20 September 2009:
The Google-hosted data file has been moved to SourceForge, so I have updated the URL it downloads it from. You need to update your script to the new version 2.05.

Update 16 June 2009:
I have changed the rule structures to make them considerably faster than the old ones. Download the updated script from the link below.

I have acquired a new reliable feed of email addresses used in phishing attacks. These addresses have all been checked by real people, and they come from a very reliable and well-known source.

The new data file is provided by means of DNS and an Anycast network, which makes it pretty resilient to attack. The previous spear-phishing data is gathered from the project hosted by Google in the traditional way, that hasn’t changed.

I have updated my script so that it fetches both sets of data. It makes use of a temporary directory under /var/cache, which is configurable at the start of the script, and which needs to be writable by the user the scripts runs as (normally just ‘root’ so this doesn’t present any problem at all to most people).

You can
download version 2.05 of the script.

If you are not using MailScanner with this script, you will need to comment out or delete the line that mentions “service MailScanner reload” about 1/3 of the way down the script (search and ye shall find!).

For more explanation of this whole problem and the way this script works, please refer back to
my earlier article.
Comments

Upgrading Windows 7 from Beta to Release Candidate

This is actually very easy.

Copy all the files from the Release Candidate DVD into a directory on your hard disk. Go into that directory, look in the “sources” sub-directory for a file “cversion.ini”.
Change the line
MinClient=7100.0
to
MinClient=6900.0
and save it.

Burn a new DVD from the directory containing everything, and use that to upgrade your Windows 7 Beta system to Windows 7 Release Candidate.

This information is available officially from Microsoft, but I forget where.
Comments

Best TV Ad in Months

This is simply the best TV advert I have seen in months. It is a fine example of the amazing quality of TV advertising we have here in the UK. The advert would not work in many other countries, it’s way too subtle for an American audience. No insult intended, but your advertising is very different from ours, and clever companies appreciate that and work with it. This should win some awards, it’s simply brilliant. MP4 Format, 10Mb, 40 seconds.
Comments

Mouse support in Hyper-V

This is how to add mouse support to the LICs (Linux Integration Components) provided by Microsoft. This does not involve using the Beta version of the LICs at all, it is all done with the production release version.

Firstly install everything else involved in getting the LICs working. There is another article in this blog that will explain how to get the LICs working with RedHat or CentOS 5.2.

On your Windows 2008 or Hyper-V server, download the “inputvsc.iso” from
http://www.xen.org/download/satori.html.
Using the Hyper-V “Connect” window and its Media menu, set the DVD drive to point to the “inputvsc.iso” you just downloaded.
In the virtual machine, “mkdir /mnt” and “mount /dev/hdc /mnt”. That should mount the ISO on /mnt.
Make somewhere to put it, such as “mkdir -p /opt/inputdriver”.
Copy the contents of the ISO to there, “cp -pr /mnt/* /opt/inputdriver”.
Unmount the ISO, “umount /mnt”.
Eject the media using the Media menu in the Hyper-V “Connect” window.
Go into that directory, “cd /opt/inputdriver”.
Install one required package, “yum install xorg-x11-server-sdk”.
Install the mouse driver, “perl setup.pl inputdriver”.
That should succeed.

Start X Windows with “startx” to test it. If the mouse support doesn’t work, you can always kill X by pressing Ctrl-Alt-Backspace, or by logging in remotely to the virtual machine as root and typing “killall X”.

That’s about it. It worked fine for me!
Comments

Anti Spear Phishing

Update 2009-October-11: This package is now hosted at www.scamnailer.com. Please check there for all future information and updates.

Update 2009-June-15:
There is now a brand new additional data feed of known phishing email addresses, which I have added to my script.


Spear phishing is a technique used by spammers and scammers to try to get your email username and password. They send you an email claiming to be from your email provider, in which they say that your account will be deleted unless you supply them with your username and password “for authentication” or some other similar ruse.

If they get your username and password, they then use your email account and email provider to send out millions of spam messages. Because the spam comes from a genuine email system (yours!) it will be accepted by most sites and will automatically pass many spam checks.

I have written a script which takes a file of addresses commonly used in these attacks. It also allows an additional list of addressed you can add to. From these, it generates a set of SpamAssassin rules that detect the presence of these addresses, which can be used in MailScanner to stop the spear-phishing attacks completely.

Download the script
here. Note that the script is gzipped to ensure your browser doesn’t do anything silly when fetching it, so you’ll need to “gunzip” it before doing anything with it. To start with, just copy it into your “/etc/cron.hourly” directory, and run the command “chmod a+rx /etc/cron.hourly/Spear.Phishing.Rules” to make it run every hour.

It is pretty much a finished script, and is directly usable by you guys without you having to do much to it except read the settings at the top and tweak the filenames if you want to change where it puts things.

I have taken a lot of care to ensure that this won't match any false alarms, I don't just dumbly look for the strings in any surrounding text, which certain commercial AV vendors have been caught doing in the past!

I make a suggestion in the comments at the top of the script about how I use the rule within MailScanner, you probably want to do something similar, and not just delete anything that matches, just in case you do get any false alarms.

It also looks for numbers at the end of the username bit of the address, and assumes that these are numbers which the scammers may change; so if it finds them, it replaces them with a pattern that will match any number instead. There's starting to be a lot of this about, as it's the easiest way for the scammers to try to defeat simple address lists targeted against them, while still being able to remember what addresses they have to check for replies from your dumb users. Happy I thought I would make it a tiny bit harder for them...

You can also add addresses of your own (which can include "*" as a wildcard character to mean "any series of valid characters" in the email address), one address per line, in an optional extra file. Again, read the top of the script and you'll see it mentioned there. That file is optional, it doesn't matter if it doesn't exist. As a starter, you might want to put
m i c h a e l l o u c a s * @ g m a i l . c o m
(without the extra spaces) in that file, as it will nicely catch a lot of "Job opportunity" spams.

It looks for any of these addresses appearing **anywhere** in the message, not just in the headers. So if you start talking to people about these addresses, don't be surprised when the messages get caught by the trap.

It does a "wget", so make sure you have that binary installed, or else change the script to fetch the file by some other means.

The very end of the script does a "service MailScanner restart", so if you need some other command to restart MailScanner or your SpamAssassin setup, then edit it for your system. It needs to be a "restart" and not a "reload" as I have to force it to re-build the database of SpamAssassin rules. If you don’t use MailScanner, but do use “spamd” in some setup or other, then a simple “service spamd restart” would do at the end of the script.

My aim was that, on a RedHat system running MailScanner, you could just copy the script into /etc/cron.hourly and make it executable, and it will just get on with the job for you. I do advise you read the bit in the script about "SpamAssassin Rule Actions" though.

Please do let me know how you would like me to improve it, and tell me what you think of it in general. (be polite, now!)

Update 13th January 2009:
A colleague on the MailScanner mailing list has made this simpler to use. You don’t have the flexibility of adding your own addresses to the list, but you can get the latest list along with all your regular SpamAssassin updates with the “sa-update” command.
Here are his instructions:
wget http://www.bastionmail.co.uk/spear.txt
sa-update --import spear.txt
Add “spear.bastionmail.com” to the list of channels that you update from (either add “--channel spear.bastionmail.com” to your sa-update command, or add “spear.bastionmail.com” to the file pointed to by the sa-update “--channelfile” command-line option).
Add the key “06EF70A3” to the trusted keys (either add “--gpgkey 06EF70A3” to your sa-update command, or add “06EF70A3” to the file pointed to by the sa-update “--gpgkeyfile” command-line option).
Then these SpamAssassin rules will be automatically updated every time your system runs the “sa-update” command, which is daily on a standard MailScanner system.
Comments