So … TOR is supposed to have gains 1.2 Million users following all the fanfare around the NSA.

If I were to facepalm at this point I fear my face would pushed out the back of my skull, so let me relay a small bit of insight.

TOR is an anonymizing proxy so long as every node along the chain is “behaving”, let’s say fo sake for argument somene sets up a malicious exit node, Jackin’ TOR shows just such a setup used to inject content into http requests.

• inject javascript
• javascript executed by browser, makes request to malicious host
• identifying the browser if exploit exits this can now be used
• malicious payload send back in request
• malicious program now running makes direct request to C&C server (this does not go out via TOR, rquest is no longer anonymous)
• we can pretty much do anything we want now with the system

And if the above does not work?

• inject javascript
• steal cookies
• steal users accounts with banking, email, other services.

Well, where to begin.

2013 has been a year of change for myself, after a long consideration period spanning several months in 2012 I felt that it was time to move on from Psycle Interactive as their Systems Administrator; the new roles “on the table” were as follows:

• Percona - Systems Admin role which later became a Remote DBA role
• Rackspace - Systems Admin
• Google - Systems engineer
• Facebook - Systems engineer

I accepted the offer from Percona becoming part of the Remote DBA team; the growth over the last 8 months has in my opinion been very rapid; the team and client list has more than doubled in size.

So some highlights on what I have been up to this year (well what I can talk about at least).

• Adventures in archiving - A case review exploring the use of the MySQL archive engine vs other available compression formats.
• Percona Live 2013 Committee member
• Submitted talks to OSCON - unfortunately they did not make the schedule this year.
• Security talk at Percona Live 2013 - just to be clear committee members can not review their own submissions; thus this talk was reviewed as any other submission (minus one casting vote).
• Work on flashcache RPMs for el6, Fedora
• Wrote replacement cluster check service in python - this is now included in Percona XtraDB Cluster.
• Technical reviewer for Scratch Cookbook

There’s so much more which I can not talk about with it being IP / NDA related.

Expect more security focused posts soon as I work on their content.

Despite a never ending well of hate for windows, sometimes I have to work with it.

In this case I needed to create a glance image that could be deployed to a openstack cluster … and that is where the fun stops.

First things first, if you can do a clean install (if you paid the extra £20 and actually received your dvd media that is!) do so, the upgrade process from Windows 7 took the best part of 2 days to complete.

Secondly to create your glance image you’re going to have to do the installation on the same type of hypervisor that you have openstack running upon, in this case I will be covering deployment of Windows 8 onto Linux KVM with virtio drivers.

The kludge

You can not start the instance using virtio for the hard disk, it simply puts itself into a never ending recovery mode, instead set the bus type to SATA or IDE.

Attach a second drive that uses virtio bus, why you may ask? Windows 8 will now boot and in turn have a device attached which it can not recognize.

Before booting you will also need to attach this iso as a cdrom, at the time of writing you can use the Win7 drivers for Windows 8. (iso version 0.1-30)

Square peg, round hole == Bigger hammer

I opted to first install all the drivers by opening up the virtual cdrom, navigating to the Win7 folder and: right click -> install on all the “Setup Information” files.

My “fun” did not end here however … because it would appear the attached virtio device was not formatted Windows8 decided to ignore it.

In this case the device manager needs to be launched to resolve the issue a laborious task in itelf.

1. Open desktop, and click the windows explorer tray icon.
2. Right click “Computer” and click properties.
3. Click “Device Manager”.
4. Expand the “Disk Drives” section, (if you did not install the drivers and reboot, you may be prompted to install the device, or it will show up as an unknown device instead of a disk drive)
5. Right click properties on the “RedHat VirtIO SCSI Device”
6. Click the volumes tab and click populate.
7. Close all windows leaving the Explorer window open.
8. Right click computer, select Manage.
9. Select disk management, partition and format the Virtio device as you would any other hard drive.
10. You should now have a new volume, this is running with the virtio drivers.
11. Shutdown windows.
12. Reconfigure the KVM instance, remove the VirtIO disk, change the primary disk bus to VirtIO
13. Start windows, and wait … and wait …
14. Once the start menu has booted you will begin to notice performance picks up after a while, I assume this is due to background tasks running.
15. Run any updates that may be outstanding and shutdown the instance. I would also advise configuring remove desktop
16. Convert to qcow2 (if you want), and import into glance as you would any other image.
17. Create or modify a security group if you have opted to allow Remote Desktop.

And boot the image as normal, ensuring that the selected “flavor” has enough disk space to start the instance.

As for meta data injection, for say account setup I have no idea at this time, please feel free to post in the comment or email me with methods for doing so.

Credits

this blog for noting the ‘dirty hack’ workaround in Windows 8 R2

and James P for having way more patience with windows than I will ever have.

If you come across this error

1
2
3
4
5

unable to load certificate
140735207381436:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1319:
140735207381436:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=X509_CINF
140735207381436:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:751:Field=cert_info, Type=X509
140735207381436:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:

When trying to validate a certificate using openssl, this is because it is in the wrong format, whilst the certificate file visually appears to be in x.509 format, you will find it contains a far longer base64 string than x.509 certificates of the same bit length.

The format in this case is p7b (PCKS #7); to use the certificate witih apache you’re going to have to convert this.

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

Within the resulting .cer file you will file you x.509 certificate bundled with relevant CA certificates, break these out into your relevant .crt and ca.crt files and load as normal into apache.

Per my Google+ ramblings; recently I began experimenting with Percona XtraDB Cluster.

After an initial read the setup process seemed very simple, and as it would turn out it was; I later moved onto some simple resillience testing of my 4 node p.o.c. cluster.

I’m still a little unsure on the circular topology I ended up using; but it appears absolutely fine so long as the following conditions are met.

1. At least one node is always available.
2. Nodes are recovered only if their peer is available to sync from. a. Requiring a startup order.

This is not such a bad thing, as if all nodes were to suddenly go down; I can’t think of a situation where you would want it all to recover “automagically” you would want to inspect to ensure data integrity and recover from a “known good” version of your data.

Openstack as an experimentation platform

Openstack i I’ve found perfect for rapid prototyping of hostinsg platform architectures, in none geek building virtual models of servers and services; ensuring sure they all go together properly before committing to the build plan.

The best part being the VM’s are “Throw away”, something goes inexplicably wrong with a vm prototype? assuming you used snapshots at each step it’s easy enough to roll back.

For reference I used Fedora 17 and the wiki reference setup of openstack for prototyping.

Note in this case you may be better off using OpenVZ; whilst openstack does not at the time of writing support this directly, the openstack DBaaS (Database as a Service) project Red Dwarf leverages OpenVZ to provide DBaaS, (Something I’d like to get auto handeling clusters via XtraDB clustering, given the time …).

XtraDB cluster p.o.c. platform

My platform consists of 4 nodes; although I am sured an odd number of nodes is preferable to reduce the risk of split-brain behaviour occuring.