Feed on

What is this about?

So far I have installed all services on my server, such as mail, database and web server, in one operating system. This is of course inconvenient, since a problem or a security incident can affect all services at once. However, classic virtualization requires many resources because all hardware must be virtualized. Target ScenarioI therefore decided to use LXD containers, which require hardly any more resources than the processes running in it themselves. The containers behave like independent operating systems. Therefore LXD containers are not comparable with e.g. Docker containers as these normally just host one process.

This article covers the installation of Nextcloud and Collabora in two separate LXD containers on a server with only one public IP address. We don’t use Docker for Collabora as many other guides do. A previous installation of LXD is not required – we start at the very beginning. For convenient reasons I’ll use the root user – you can of course use ‘sudo’ if you want. I also tried using just different subdomains instead of two different domains but this resulted in several collabora errors I wasn’t able to figure out. Thats why we us two different domains for this how-to. Enough said, let’s start:

Step 1: Install LXD

The server (LXD host) runs with Ubuntu 16.04.4. LXD is already included in the repository, but we will install the latest version from the backports:

apt update && apt install zfsutils-linux -y
apt install -t xenial-backports lxd lxd-client -y

Continue Reading »

Tags: , ,

AirPrint jail for FreeNAS

I just switched from Ubuntu Linux to FreeNAS on my home server. On Ubuntu, CUPS (the printer framework we will configure in this guide) is already patched for AirPrint compatibility. On FreeBSD (thats what FreeNAS is based on) things are a bit different. This is how I got it to work.

bsd_airprintFirst, create a new jail from the FreeNAS UI (Jails, Add jail). Give it a name, e.g. “airprint”. Give it an unique IP address and mark “autostart”, “VIMAGE” and “vanilla”. Then connect to your FreeNAS using SSH or the UI console. Type jls and note the number of your newly created jail. Then type jexec # csh and replace “#” with the number of your jail.

Now its time to install some software. Continue Reading »

Tags: , , , , , ,

Security issue in current version of Cisco Jabber for Mac

Cisco JabberCurrent versions of the Jabber for Mac client do track your activity with Google Analytics. This includes starting/ending an IM session, call metadata etc.

This behavior is currently not documented and Cisco does not provide settings in CUCM as it does for the iOS clients.

However, there is a client setting you can set to disable Google Analytics tracking. Open terminal and type:

defaults write com.cisco.Jabber ARXUserDefaultsDisableAnalyticsKey -bool YES

You need to restart your Jabber Client to make this work.

Special thanks to https://twitter.com/ingochao for contacting Cisco security. BTW, the Cisco Mac development unit announced that a later version of the client will stop using Google Analytics.

Warning: This article may give information on how to obtain data stored in your Apple account. Also, I’ve no idea if the given information is still valid or if Apple has changed its method to cancel accounts.

Apple ID security riskBack in August 2011 I visited the Black Hat security conference in Vegas and decided to create a second Apple ID with an US prepaid credit card. With this account I was able to test iTunes Match, a service that was not available in Europe at this time.

Later back in Europe I decided to cancel this account as I no longer needed it and the amount of money charged on my prepaid credit card was expended anyway.

As there is no “click here to cancel your account” button, you have to contact Apple by mail. I have included the original mails at the end of this article. I got the response that the account has been canceled so I was fine with that.

To my surprise I received a mail from Apple that my contact email address has been successfully changed a few minutes later. What happened was that Apple didn’t really cancel my account Continue Reading »

Für einige virtuelle Maschinen in einem VMware Cluster ist es sinnvoll, eine Trennung auf verschiedene ESX Hosts einzustellen. Gerade Exchangeserver oder virtuelle Domaincontroller sollten nicht auf dem gleichen Gastsystem laufen, um die Verfügbarkeit der Dienste bei Ausfällen eines Hosts im ESX Clusters zu gewährleisten.

Auf der anderen Seite will man vielleicht aber auch genau das Gegenteil und bestimmte Maschinen sollen immer auf dem selben Host gehalten werden. Beides wird über DRS Regeln erledigt, die man über den VMware Client einstellen kann.

Separieren durch DRS Regeln

Die Regeln kann man im VMware Client unter Host und Cluster in den Settings des jeweiligen Clusters editieren.


Im Abschnitt vSphere DRS unter Rules unten auf Add klicken, einen Namen für die Regel vergeben und den Typ auswählen.

Für die beiden Regeln Keep Virtual Maschines Together und Seperate Virtual Maschines kann man über Add einfach die passenden VMs auswählen. Diese laufen dann entweder immer auf demselben Host oder eben nicht.


Um virtuelle Maschinen auf einem bestimmten ESX Host laufen zu lassen, muss man vorher im DRS Groups Manager eine Gruppe für die gewüschten Hosts und eine Gruppe für die ESX Hosts erstellen. Beide Gruppen können bei Bedarf natürlich auch nur eine VM und einen ESX Host enthalten.

Des Weiteren besteht bei dieser Regel die Auswahl zwischen Should run on hosts in group und Must run on hosts in group. Hier sollte man genau überlegen, was man möchte. Wer sich nicht sicher ist, sollte Should run nehmen, da Must run im Zweifelsfall dazu führen kann, dass die Maschine aufgrund von CPU- oder Speicherauslastung nicht mehr gestartet werden kann.


OS X LionJuniper Network Connect is Juniper’s cross-platform VPN client coming with many Juniper appliances. The OS X client installs itself using a browser Java plugin when connecting to the company’s VPN portal. In the first Lion beta the Java browser plugin is not available so you cannot install the client. Its also not possible to just drag and drop the client from an existing Snow Leopard installation as the Network Connect installer installs some files in other directories than /Applications.

You can, however, use the installer DMG from the Juniper appliance itself when you have administrative access to it. If not, ask your company’s administrator.

Just mount the DMG and launch the .pkg installation file. It installs and runs just fine on Lion

Tags: , , ,

OS X LionApple just released the first beta version of its upcoming OS X 10.7 “Lion” operating system to subscribed developers. Its meant for developers to port and test their software on the new version. However, even testing and developing needs a comfortable environment and that can be achieved by installing your daily used software. Most of my software installs and works quite well, which is remarkable considered that this is the very first beta.

However, three little tools needed some “help” to make them install: Xmarks, Dropbox and MenuMeters. Continue Reading »

Tags: , , , ,

Defrag OS X files

Whats the problem?

You may think you don’t have to deal with disk defragmentation on OS X as OS X does it all for you. In most cases you are right, as OS X automatically tries to avoid fragmentation on files < 20MB. However, larger files are sometimes heavily affected. I noticed it when playing one of Valve’s Steam games like Portal or Half-Life 2. These titles use large game cache files (*.gcf) and everytime I started one of these games I heard my harddrive scratching which is not very common on an iMac.

How to find fragmented files?

The best way to find fragmented files on a Mac is a little command line tool Continue Reading »

Tags: , , , , ,

Starting with Safari 5, Apple has included extensions support which makes Safari a real Firefox alternative for me. As a long time Firefox user I’ve saved many passwords in its keystore. For bookmarks, the exchange between the two browsers is easy as both support exporting and importing them as flat html files.

Passwords are stored in a Firefox specific database and Safari uses OS X’s keychain so we need to import our passwords into keychain. There is a commercial solution called 1password but I was looking for a smaller and free solution. Continue Reading »

Tags: , , , ,

In Deutschland kann man das aktuelle iPhone 4 offiziell nur in Verbindung mit einem Telekom Mobilfunkvertrag kaufen. Importeure bieten Simlock-freie Geräte zwar an, verlangen aber auch sehr hohe Preise.

Umgehen kann man das Problem, wenn man selbst im europäischen Umland kauft. So kann man es z.B. online direkt im Apple Store Frankreich oder UK kaufen. Dort kann man mit sich mit seinem deutschen iTunes-Account anmelden und ist dann auch mit der deutschen Adresse Rechnungsempfänger. Der einzige Haken ist, dass man eine Adresse im jeweiligen Land haben muss, an die dann das iPhone geschickt wird. Aber irgendjemand im Bekanntenkreis kann sicher aushelfen…


In Großbritannien kann man das Adressenproblem sehr elegant umgehen. Borderlinx bietet einen Weiterleitungsdienst an, der alle eingehen Sendungen direkt an eine angegebene Adresse in Deutschland weiterleitet. Die Gebühr rechnet sich, da das iPhone durch den Pfund / Euro Umrechnungskurs dort eh sehr günstig zu beziehen ist. Ich selbst konnte diesen Weg mit zwei Geräten verifizieren (Ende August ’10)! Bedenken sollte man aber bei Geräten aus Großbritannien, dass ein Netzteil mit UK-Stecker beiliegt.

Update 2:

Nun kann man ein Simlock-freies iPhone auch in Deutschland einfach direkt im AppleStore oder bei O2 kaufen.

Tags: , , , ,

Older Posts »