Download Firefox -  a safer, easier to use web browser. Return to iribbit.net - Leap into the online experience! Return to iribbit.net - Leap into the online experience! iribbit.net - Leap into the online experience!

Project News :.

The latest project to launch was the site for Gorilla Offroad Company. Aside from their main site, a social media strategy was develop to launch the company into various industry specific automobile enthusist discussion board communities as well as popular social media fronts like Facebook, Pinterest, and Twitter.


Valid XHTML 1.0 Transitional

Valid CSS!

Section 508 Compliant

powered by: Macromedia ColdFusion MX

made with: Macromedia Dreamweaver MX

What is RSS

XML - often denotes RSS Feed information.

Macromedia - ColdFusion Programming
white horizontal rule

ColdFusion News :.

To bring a little life to my site, I've pulled a couple What is RSS Feeds into this page. You can currently choose between the technology related news stories from the following news sources:



You are currently viewing and RSS Feed from coldfusionbloggers.org.



Exploring CentOS 7 Firewalld

New with CentOS 7 is firewalld, a replacement for iptables to manage the firewall. As with anything new, at first glance it seems confusing, but I’m finding I prefer it over iptables.

The first thing to understand about firewalld is that it is has multiple layers. It comes with a predefined set of zones, namely block, dmz, drop, external, home, internal, public, trusted, and work. Each of those zones can be associated with a network device or one or more ip addresses. Essentially, zones define and demarcate the level of trust an admin has decided to place on the devices and traffic within a network.

firewalld also pre-defines a set of services that can be added or removed from a zone. Effectively, when a service is added to a zone, it opens a port and sets any other necessary parameters. Services are defined with XML. Here’s what the http service looks like:

1
2
3
4
5
6
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>WWW (HTTP)</short>
  <description>HTTP is the protocol used to serve Web pages. If you plan to make your Web server publicly available, enable this option. ... </description>
  <port protocol="tcp" port="80"/>
</service>

So to open port 80 via the tcp protocol to server http requests, as an example, first a zone must be associated with the network device that will handle the traffic, and then the http service added to the zone. As an admin, you can define your own custom services, or customize existing services. Other techniques allow you to open a port directly on a zone, or define more complex rules for access.

To configure the firewall and check its status, a command line client is provided, firewall-cmd. It can be used to make both permanent and temporary config changes. The configuration for firewalld is stored in XML files in /usr/lib/firewalld/ ( the default settings, not to be modified! ) and /etc/firewalld/ ( for user configured settings, which have preference over those in the default location ). These files can be edited, backed up, or used as templates for other server installations.

Now that we have an overview, we can get to work. To check if firewalld is running:

1
systemctl status firewalld

If you see from the output that firewalld is not running, or you see that the loaded service is disabled, here are the commands needed:

1
2
systemctl enable firewalld
systemctl start firewalld

If a service is enabled, it will start on system reboot. Hence it’s particularly important to ensure firewalld is enabled on a production server.

Here’s how to disable firewalld so it will not start at boot time, and shut it down:

1
2
systemctl disable firewalld
systemctl stop firewalld

Now I want to configure the firewall. First, I check for the name of the ethernet interface so that I can refer to it to associate it with a zone:

1
nmcli dev status

Then I check which zone eno16777736 is currently assigned to:

1
firewall-cmd --get-zone-of-interface=eno16777736

The result is “no zone”, so the next step is to add the ethernet interface to the public zone, which is the zone I’ve decided to use for http access to the server. It’s important to add the –permanent flag to the command so it is retained permanently, across reboots:

1
firewall-cmd --zone=public --add-interface=eno16777736 --permanent

Now I have to reload the firewall configuration for the changes to take effect:

1
firewall-cmd --reload

And then we can double check just to make sure the ethernet interface is now added to the public zone …

1
firewall-cmd --get-zone-of-interface=eno16777736

and the result is “public”, so that’s now set up correctly.

Let’s now check how the public zone is currently set up:

1
firewall-cmd --zone=public --list-all

Here we see again that the ethernet interface is added to the public zone, and that it is both active and the default zone. By default after installing CentOS 7, we have the services dhcpv6-client and ssh added to this zone. Taking a quick look at the description for this service to see what it does by opening /usr/lib/firewalld/services/dhcpv6-client.xml, we see, “This option allows a DHCP for IPv6 (DHCPv6) client to obtain addresses and other IPv6 settings from DHCPv6 server.” We won’t be using IPv6 addresses within our local network to access this machine, so I think it’s safe to remove this service, although we may want to leave it in place on a production server:

1
firewall-cmd --zone=public --remove-service=dhcpv6-client --permanent

Reminder - remember to always add the permanent flag to these commands if you want changes to be persisted!

Now we can add the services for http access to our public zone:

1
2
firewall-cmd --zone=public --add-service=http --permanent
firewall-cmd --zone=public --add-service=https --permanent

… reload the firewall …

1
firewall-cmd --reload

… and recheck the configuration, using list-services instead of list-all just to try it out:

1
firewall-cmd --zone=public --list-services

and I see that we now have services http https ssh configured. Excellent. Let’s test that in a web browser.

I’ve installed nginx web server, but see using systemctl status nginx that it’s not yet running or enabled, so first we run

1
2
systemctl start nginx
systemctl enable nginx

And then I go to 192.168.1.16 in a web browser and see Welcome to nginx! Good.

As a double check, let’s remove the http service and see what happens.

1
2
firewall-cmd --zone=public --remove-service=http --permanent
firewall-cmd --reload

Reloading 192.168.1.16, I get a No data received message, so that’s exactly what we should expect.

1
2
firewall-cmd --zone=public --add-service=http --permanent
firewall-cmd --reload

And adding the http service back to the public zone again allows the Welcome to nginx! page to be loaded in my browser. Perfect.

However, I still don’t have access to the CF Admin panel at http://192.168.1.16:8500/CFIDE/administrator/index.cfm, because that’s over port 8500. On a production machine, I absolutely would not open port 8500 for this purpose. But since this server is on our local office network, let’s see how we can do this.

The first option that comes to mind is to create a custom firewalld service specifically for this purpose. Documentation I’ve read recommends using existing services as a template. Custom services go in /etc/firewalld/services/. First let’s make a copy of the http service, calling it http8500, and place it in /etc/firewalld/services/:

1
cp /usr/lib/firewalld/services/http.xml /etc/firewalld/services/http8500.xml

Then we edit /etc/firewalld/services/http8500.xml to use port 8500 instead of port 80. Here’s what the modified file looks like:

1
2
3
4
5
6
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>CF Admin Access</short>
  <description>For CF Admin access via port 8500.</description>
  <port protocol="tcp" port="8500"/>
</service>

Then we add this service to the public zone and reload the firewall:

1
2
firewall-cmd --zone=public --add-service=http8500 --permanent
firewall-cmd --reload

And now http://192.168.1.16:8500/CFIDE/administrator/index.cfm works! Again, this is not how I’d set up access to the CF administrator on a production machine, but it was an opportunity to experiment with creating custom services. What I like about this option is that I can enable or disable it, independently of the other services enabled. So if I decide I want to lock this server down, I can quickly remove the http8500 service and access the CF Administrator via SSH Tunnelling.

What I usually do is move ssh access to an obscure port. I think we can easily accomplish this using a custom service, but before I do that, I want to take a look at how the localhost interface is set up within the firewall. Again, we use nmcli dev status to get the name of the localhost or loopback interface

1
nmcli dev status

It’s “lo”, so let’s see if it’s set to zone by default:

1
firewall-cmd --get-zone-of-interface=lo

Nope, the result I get is “no zone”. Let’s also see if there are any services added to the trusted zone, which would be the most appropriate for localhost

1
firewall-cmd --zone=trusted --list-all

At this point, nothing is added to this zone, no interfaces, services, sources or ports, etc. And the network interface “lo” isn’t associated with any zone.

Now what I want to see is how the server responds to localhost access with the firewall enabled. This might be important on a production server because I will use ssh tunneling to access any areas I will restrict from public access. So let’s logout from the server and login again with the -D flag so that I can tunnel into the test server and test if I have access via localhost with the firewall setup as it is now:

1
2
3
exit
ssh -D 6100 root@192.168.1.16
root@192.168.1.16's password:

I keep Firefox on my dev machine reserved and set up for ssh tunneling on port 6100, so I simply open Firefox and browse to http://localhost:8500/CFIDE/administrator/index.cfm, and find I can access the CF11 admin page and login. Browsing to http://localhost/, I see the Welcome to nginx! page. So at this point via localhost, I have access. ( Note for anyone without experience using ssh tunnelling, when I use localhost on Firefox set up for ssh tunneling, logged to the CentOS server using the -D flag, I am browsing the CentOS server next to me, not my dev machine. See SSH Tunnelling for details how to do this. )

Now what happens if I add the “lo” network interface to the trusted zone, where no access is currently set up?

1
2
firewall-cmd --zone=trusted --add-interface=lo --permanent
firewall-cmd --reload

Adding the “lo” interface to the trusted zone with no services had no affect at all on tunnelled access to localhost. So it looks like the firewall doesn’t interfere there. So to clean up, I will remove the “lo” interface from the trusted zone and call it a day.

1
2
firewall-cmd --zone=trusted --remove-interface=lo --permanent
firewall-cmd --reload

PS - For some reason, “lo” was not removed from the trusted zone according to firewall-cmd –zone=trusted –list-all unless and until I rebooted the server. The strange thing was that the config file was correctly altered, but somehow, firewalld didn’t seem to pick up the change. Perhaps this is the intended behavior, to prevent lockout during a current session, but I’ll look into filing a bug report later this evening … ( which I have now filed here ).

References:

  1. https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html
  2. http://www.certdepot.net/rhel7-get-started-firewalld/
  3. http://fedoraproject.org/wiki/FirewallD

(Mon, 22 Dec 2014 02:00:22 GMT)
[view article in new window]

Setting Up a Local Testing Server on VMWare

I’ve been wondering how to best set up a local testing environment for some time. My production servers are all on CentOS. On the advice of Nolan Erck, whom I met at CFCamp this year, I’ve decided to use VMWare to set up a CentOS server on a virtual machine here in the office. This approach allows me to have multiple test environments, and I can easily move them to another machine if needed simply by copying the disk image.

For ease of access, each VM needs a static ip on the local network. It’s not hard to do once you figure it out, but getting all the pieces in place took some hours of digging, trial and error. This post, while specific to VMWare and CentOS 7, is intended to help both my future self and anyone else set up networking quickly and easily in such a scenario. Adapt as necessary for your specific environment.

The obvious first step was to download the ISO image from a CentOS mirror site. I grabbed the minimal install as a nearest approximation to a production environment, and created a VM from it using VMWare on an unused Mac mini we had laying around the office.

On the minimal install, networking isn’t enabled by default. So before I could proceed, I had to figure how to enable networking, and get it working via a static IP. Here’s a summary of what finally worked for me.

1) Figure out what the ethernet device is named by running the command :

1
nmcli dev status

nmcli dev status

As you can see, mine was named eno16777736, which is not the RedHat default you may find in many examples online.

2) cd to the directory /etc/sysconfig/network-scripts and run ls to display its files

1
2
cd /etc/sysconfig/network-scripts
ls

network-scripts ls

3) Look for the configuration file for your ethernet device, mine was named ifcfg-eno16777736 and open it for editing using vm or nano

1
nano ifcfg-eno16777736

network-scripts ls

The above screenshot was taken after it was edited. The lines to change or add are:

1
2
3
4
5
6
BOOTPROTO=static
IPADDR=<the static ip address you want to assign to this instance>
NETMASK=255.255.255.0
GATEWAY=<the gateway ip address of your internal network>
NM_CONTROLLED=no
ONBOOT=yes

I found that adding the correct gateway ip was essential. NM_CONTROLLED specifies whether or not this device is controlled by the Network Manager. We are setting the parameters manually here, so this must be no. ONBOOT=yes specifies to connect this network device on boot.

Save the file, exit nano, and run the following command to restart the network:

1
systemctl restart network

Now CentOS 7 should be setup to network via the static local ip of your choice. But the connection isn’t bridged outside of the VM. After some fiddling around, here’s what worked for me. I went out to the VMWare interface, clicked on the double arrow icon to open the networking menu, and clicked Network Adapter Settings…

VMWare Network menu

From the menu, I chose Autodetect, as shown below:

VMWare Network menu

Once I had these configuration changes in place, I could access the CentOS instance via SSH and SFTP from my dev machine.

By the way, from my reading, it also seems possible to use the Network Manager to achieve the same end. In this case, you’d leave the config file for your network device alone, and instead run the nmtui command. Search Google for more complete instructions. You’ll still need to bridge the connection through VMWare tho’.

Hope this helps somebody.

PS - If you can access the instance via SSH or SFTP, but cannot from a browser, you may need to either disable and stop firewalld:

1
2
systemctl disable firewalld
systemctl stop firewalld

or better, figure out how to configure it properly to allow access via a browser, which I cover in the next article, Exploring CentOS 7 firewalld


(Mon, 22 Dec 2014 02:00:22 GMT)
[view article in new window]

Change Location of ColdFusion Webroot

I’m in the process of preparing a server to test CF11 with nginx as the front end webserver. Since nginx will act as a reverse proxy for any files that need to be processed by CF, essentially .cfm files, and serve any other assets directly, images, css and js files, etc, I want to relocate the ColdFusion webroot to a directory outside of the cf installation directories. A little googling led me to a old blog post that outlined the process in sufficient detail that I got it working on the first shot. Thanks Ryan! This post is both to refresh the collective knowledge cache and affirm that the technique works on CF11 as well as CF10.

The first step is to locate the server.xml file, which you will find at

/cfusion/runtime/conf/server.xml

Make a backup of it. If something goes wrong, you can use the backup to restore CF to a working state again. Note that CF needs to be able to locate the CFIDE and WEB-INF directories to function properly, and these are both located with in the default webroot location. So make a backup of server.xml before proceeding.

Open server.xml for editing, scroll down to the bottom of the file where you should find the following line commented out:

1
<!-- <Context path="/" docBase="<cf_home>\wwwroot" WorkDir="<cf_home>\runtime\conf\Catalina\localhost\tmp" ></Context>  -->

Assuming the installation directory is /opt/cf11, so that I can give a concrete example, uncomment that line and adapt it to the following model, which is working on my CF11 installation:

1
<Context path="/" docBase="/var/www" WorkDir="/opt/cf11/cfusion/runtime/conf/Catalina/localhost/tmp" aliases="/CFIDE=/opt/cf11/cfusion/wwwroot/CFIDE,/WEB-INF=/opt/cf11/cfusion/wwwroot/WEB-INF"></Context>

The docBase is the new webroot location, which must already exist, but can be of your choice. WorkDir points to an existing location in the installation directories. The aliases are essential, so that CF can find the CFIDE and WEB-INF directories. Adjust the slant of the slashes depending on your operating system, Windows or Linux. Use absolute paths for these settings, so on a Windows server, they would likely begin with a drive letter.

After you’ve edited and saved server.xml, restart ColdFusion, place some cf code in the docBase directory, and browse to it via localhost:8500/ to make sure it works. Also check if you can still access the CF admin panel at localhost:8500/CFIDE/administrator/, which CF should find via the aliases= declaration. If both those tests succeed, you should be good to go!

References:

  1. http://blog.bittersweetryan.com/2012/02/changing-webroot-of-coldfusion-zeus.html
  2. http://blogs.coldfusion.com/post.cfm/getting-started-with-tomcat-in-coldfusion-10

(Mon, 22 Dec 2014 02:00:22 GMT)
[view article in new window]

Weekend quiz: Adam Presley's answer - redux (Go)
G'day:
Adam Presley is a bit of a star. I had a look at his original entry to the quiz and decided I didn't like it as it was too long-winded ("Weekend quiz: Adam Presley's answer (Go)"). He's subsequently come back to me with a simplified version, listed on his own blog: Response To Adam Cameron's Code Review. He took my comments in good grace, which is very good of him.

Let's have a look at this new version:


// getSubseries.go

package main

import (
"flag"
"fmt"
"os"
"strconv"
"strings"
)

type SubArrayResult struct {
Sequence []int
Total int
}

var input = flag.String("input", "", "Comma delimited list of integer numbers")
var threshold = flag.Int("threshold", 10, "Integer number for array slice to not exceed")

func main() {
flag.Parse()

/*
* Array of integers to determine longest sequence from. These are a string
* list on the command line that are converted to integers.
*/
inputArray := make([]int, 0)

if *input == "" {
fmt.Println("Please provide a valid input of comma delimited integers")
os.Exit(1)
}

/*
* Get the input from the console args, and split them up
* into integers in an array
*/
for _, value := range strings.Split(*input, ",") {
i, err := strconv.Atoi(value)
if err != nil {
fmt.Println("ERROR - Unable to convert", value, "to integer")
os.Exit(1)
}

inputArray = append(inputArray, i)
}

/*
* Loop, slice, sum
*/
sequences := make([]SubArrayResult, 0)

for index, _ := range inputArray {
sequence := make([]int, 0)
total := 0

inputSlice := inputArray[index:]

for _, value := range inputSlice {
if (total + value) <= *threshold {
total += value
sequence = append(sequence, value)
} else {
break
}
}

if len(sequence) > 0 {
result := SubArrayResult{
sequence,
total,
}

sequences = append(sequences, result)
}
}

/*
* Who wins?
*/
longestIndex := 0
longestLength := 0

for index, item := range sequences {
if len(item.Sequence) > longestLength {
longestLength = len(item.Sequence)
longestIndex = index
}

if len(item.Sequence) == longestLength && item.Total > sequences[longestIndex].Total {
longestLength = len(item.Sequence)
longestIndex = index
}
}

if len(sequences) > 0 {
winningSequence := sequences[longestIndex]

fmt.Println("")
fmt.Println("Sequence", winningSequence.Sequence, "wins with a length of", len(winningSequence.Sequence), " for a total of", winningSequence.Total)
} else {
fmt.Println("No winners :(")
}
}

I won't go through the syntactical minutiae here, as I also need to write up my own answer using Go, and I think I use all the constructs in my code as are used here, so will discuss in one place.

It runs from the commandline, thus:


C:\src\go\src\adampresley>go run getSubseries.go -input=100,50,50,50,50,50,500,100,60,60,60,60,60,500 -threshold=500

Sequence [100 60 60 60 60 60] wins with a length of 6  for a total of 400

C:\src\go\src\adampresley>

That was the trickiest test, and it passed fine. I also ran the one that tripped up his original version:


C:\src\go\src\adampresley>go run getSubseries.go -input=600,700,800,900 -threshold=500
No winners :(

C:\src\go\src\adampresley>


It's good to see he's fixed that one.

This version is much more to the point than the previous version, which is good. Adam's had an interesting approach here: he extracts all the subseries which fall within the threshold, and then examines those to pull out the most fitting one. This'll be a byproduct of his initial approach which used parallel processing to expedite matters. He explains this on his initial entry which is on Github, here: https://github.com/adampresley/adamCameronCodeChallenge201411. One thing I do like about his initial take on things is to leverage Go-specific features like this. My approach with all languages so far has pretty much taken the same route, and is using very generic code: the logic and approach has always been the same, with the differences being down to how various languages implement the coding elements I'm using. This is useful too, as it makes for an interesting comparison, even if it's not the ideal approach to solving the challenge for the language concerned.

From a code perspective, I might have factored-out some of the phases here into helper functions:
  • preprocess the command line args
  • the main function which returns the result
  • within that have sub functions for extracting the subseries
  • and finding the best one
The main() function is pretty long here. And the comment blocks might not be necessary if the code was sub-functioned.

I'm bloody pleased Adam put both these entries in, especially the second one. I'd never set out to look at Go before, but our conversation has piqued my interest in it now. As a result I felt compelled to work through my own answer, which took about 8h in total to write, debug, test (yeah, sorry, no TDD on this one) and re-debug. The good thing is now I can understand Adam's code above just fine, and I think I'll put some effort into going through his initial entry now. I want to know about these "goroutines", for one thing.

Cheers mate!

--
Adam

PS: I was hoping to write-up my own Go solution today, but I got off to a late start, and working out how to test it, then tracking down a glitch the tests revealed took me longer than the hour-or-so I was expecting to take. I've got a bit of a truncated afternoon today as my mate Leanne has scored us some tickets to go see The Cure, so I need to head over to the other side of London to do that, soonish. This is cool... I was a huge Cure fan in my formative years (even - occasionally - with pointy-up hair, etc), and whilst my musical whim has moved on a bit now, I still really like their stuff and have not been to a gig of any description since Glastonbury 2012, so really looking fwd to it. Time to go put my lippy on, and do some back-combing...
(Mon, 22 Dec 2014 02:00:05 GMT)
[view article in new window]

CentOS System Administration Essentials Book Review
CentOS System Administration Essentials is currently available from Packt Publishing as part of the $5 eBook Bonanza.
(Sun, 21 Dec 2014 17:37:23 GMT)
[view article in new window]

Run groovy scripts in sublime text
Wondering how to run Groovy files in Sublime Text? It's really quite simple - to create a new build system in Sublime Text go to Tools > Build System > New Build System and copy/paste the code below { "cmd": ["groovy","$file"], "selector": "...
(Sun, 21 Dec 2014 16:00:16 GMT)
[view article in new window]

Run groovy scripts in sublime text
Wondering how to run Groovy files in Sublime Text? It's really quite simple - to create a new build system in Sublime Text go to Tools > Build System > New Build System and copy/paste the code below { "cmd": ["groovy","$file"], "selector": "...
(Sun, 21 Dec 2014 16:00:16 GMT)
[view article in new window]

Grails - Reloading a service without stopping your app
When a grails application is started most Grails artificats are reloaded as they are changed - controllers, filters, tag libraries, but the opposite is true if you strongly type your services like below. FakeService fakeService However if y...
(Sat, 20 Dec 2014 18:00:15 GMT)
[view article in new window]

Grails - Reloading a service without stopping your app
When a grails application is started most Grails artificats are reloaded as they are changed - controllers, filters, tag libraries, but the opposite is true if you strongly type your services like below. FakeService fakeService However if y...
(Sat, 20 Dec 2014 18:00:15 GMT)
[view article in new window]

Windows Media Center Reports No Signal when Recording
I was having a problem with my local ABC station working when I viewed the channel to watch a show, but every recording was failing saying "There was no TV signal when the show was scheduled to record" even if I went to the channel immediately follow...
(Sat, 20 Dec 2014 18:00:15 GMT)
[view article in new window]


© The connection to the CFBLOGGERS_FEED's RSS feed has timed out - please try again later. We are sorry for any inconvenience this may have caused.