2014年7月22日 星期二

AWS EC2 Reserved Instance 注意事項 - 你選對AZ了嘛?

圖片來源:financialbuzz

上面是我收到這兩個月AWS 帳單的表情....靠妖怎麼那麼貴!?我不是已經用了Reserved Instance 了?使用AWS的優點是收費彈性,但是這也是恐怖的地方,如果沒有設定好,以及隨時監控,你的錢就會在無形中燃燒殆盡....



2014年7月18日 星期五

[WMI] 詭異的Bug ,虎爛的Best practice - Put install package at tmep folder

圖片來源:Mud Day


太久沒發文,來篇技術抱怨文(咦?),話說最近在跟非常不熟悉的微軟系統奮戰,不熟悉就算了,又必須透過跟他很不合的Java 來透過WMI介面來控制HyperV,一整個就是災難....我的心情就跟上面那張圖一樣....

雖說網路上也有許多強者有嘗試開發Java 透過WMI來控制HyperV的Lib,不過很多都是年代久遠缺乏維護,因此只能抓他的source code 重新來改寫和加功能,有興趣的我把他放在github - JWbem


這幾天遇到一個奇怪的Bug就是透過WMI的Win32_Product來遠端安裝軟體,如果Host 沒有登入(沒有任何登入Session),然後WMI安裝就會發生錯誤,然後錯誤訊息讓然摸不著頭緒,只有return code: 1603 A fatal error occurred during the installation.

上網研究半天只有看到一個類似的討論:MSI Remote Installation Question!

The best way to do a remote msi installation is as follows:
1. Set the access to the remote location if the MSI is stored at a remote location
C:\Windows\System32\net.exe use $RemotePath password /user:username
2. Copy the MSI file to the system you want to install it to.
Create the C:\Temp folder if it doesnot exist
if(!(Test-Path "C:\Temp"))
    {
        New-Item -Path "C:\Temp" -ItemType directory
    }
Copy-Item "$RemotePath" "C:\Temp"
3. Use the WIN32_Product Class in the following way
$product= [WMICLASS]"\\.\ROOT\CIMV2:win32_Product"
4. Now use the install method which otherwise is not shown up when we just use Get-WMIObject cmdlet
$ret = $product.Install("C:\Temp\MyProduct.msi","ADDLOCAL=ALL",$true)

5. If you want you can delete the msi file which you copied to the C:\Temp folder.

程式邏輯全部一樣,唯一的差別就是他建議要安裝在Temp的目錄下.....這..死馬當活馬醫...
我就把安裝檔放在c:\windows\temp\

這樣就可以了...這樣就可以了....囧rz...


[Update]

後來發現我以為這個Best Practice work...但事實上還是不行!! 只是前一個Seesion可能還在?

無奈啊...繼續找解法...



2014年7月8日 星期二

Security isolation and Docker

圖片來源:網路


根據Xen Community PH值還算沒有小於一的文章 The Docker exploit and the security of containers提到,Docker 的確是個不錯的工具,適合以下情境:
  • Excellent tool for packaging and deploying applications
  • Using containers to separate an application from the rest of the user-space of your distribution

也就是Docker 所要佈署的程式都,最好都是你trust 的program,並不適合類比成VM使用,因此在Hack new 上Docker 的作者也有跳出來說:

Please remember that at this time, we don't claim Docker out-of-the-box is suitable for containing untrusted programs with root privileges. So if you're thinking "pfew, good thing we upgraded to 1.0 or we were toast", you need to change your underlying configuration now. Add apparmor or selinux containment, map trust groups to separate machines, or ideally don't grant root access to the application.

Docker will soon support user namespaces, which is a great additional security layer but also not a silver bullet!

When we feel comfortable saying that Docker out-of-the-box can safely contain untrusted uid0 programs, we will say so clearly.
最後Xen Community 也有幾個建議:

However, using containers for security isolation is not a good idea. In a blog last August, one of Docker’s engineers expressed optimism that containers would eventually catch up to virtual machines from a security standpoint. But in a presentation given in January, the same engineer said that the only way to have real isolation with Docker was to either run one Docker per host, or one Docker per VM. (Or, as Solomon Hykes says here, to use Dockers that trust each other in the same host or the same VM.)
結論:

好的工具也是要用對地方,用對方法~:P

延伸閱讀:

[1] Docker Security
[2] Solomon Hykes Explains Docker

2014年7月1日 星期二

[研究] HyperV Virtual Network Type


如上圖所示,Hyper-V的網路架構是在Hyper-V host Level 可以建立很多virtual switch,每個VM都要透過網路卡(Virtual Network Adapter)連接到 virtual switch 上面,而Hyper-V 網路卡(類型主要有三種:

External Virtual Networks


這種類型的網路卡是直接跟Hyper-V host 實體網路卡綁定

Internal Virtual Networks


沒有跟實體網路卡綁定,所以無法接觸外部網路,主要用來VM與VM之間或是VM與Hyper-V host 之間的通訊。


Private Virtual Networks


單純給VM資間用來通訊使用(適合VM Cluster 通訊情境)

[Magento] 安裝 Extention 發生404 not found 該如何處理


如果安裝完Magento 的extention 在System --> Configuration 發現是404 not found 該如何處理


Step 0: Clear your cache AND sessions on the live server.

Step 1: Check if your module is installed using the free/open-source Module List Module

Step 2: Drop some debugging code in the following method. The var_dumps will tell you which files/classes Magento's routers are looking for with your module, but can't find.


Reference:

[1] Magento Extension 404 Error