Tunnel Everything through SSH (转载)

Tunnel Everything through SSH
from http://www.plenz.com/tunnel-everything

This site remains here for legacy reasons and will not be updated! All the other articles are probably still available but not linked any more. Start page.

In this Tutorial I'll cover how you can tunnel any TCP traffic through an encrypted SSH connection or a SOCKS server, even if a certain program doesn't support proxying of connections natively.

The only requirement for SSH tunneling to work is a shell account on a machine connected to the internet (and, optionally, a HTTP Proxy server). I will refer to this account as your server (it doesn't matter if you may not become root).
Tunneling HTTP

In case you just want to tunnel HTTP traffic (to surf safely, to let the request appear to originate from a different IP and/or to not disclose HTTP clear text passwords to your LAN) best practise is to set up Privoxy on your server. By default, Privoxy binds to 127.0.0.1:8118 (thus only allowing connections from localhost), which is good for us. No configuration must be done for this.

The next step is to establish a tunnel from your computer to your server's Privoxy. That is done with the following SSH command:

ssh -NL 8118:localhost:8118 user@server

This command opens a tunnel on your computer: All connections to port 8118 will be forwarded (encrypted, of course) over the SSH connection and come out at your server's port 8118 (where Privoxy is running).

Once you have established the connection you will want to edit your browser's proxy settings accordingly. Just set the HTTP (and, with some browsers, the HTTPS) proxy to localhost, port 8118.
Advantages

The great advantage over SOCKS tunneling (see below) is, that even the DNS requests are made from your server. No-one on your LAN can gather information on what kind of site you're surfing. Another advantage is that Privoxy already filters out some advertisements and removes sensitive headers from your requests.
Tunneling Arbitrary Protocols (Dynamic Forward/SOCKS)

If you want to tunnel not just HTTP traffic but arbitrary other TCP protocols as well, a HTTP Proxy isn't adequate any more. Instead, you'll have to set up a SOCKS proxy. That also is possible with SSH:
Setting up the SSH proxy

Setting up the SSH SOCKS proxy is really easy. On your computer, just enter the following command:

ssh -ND 3333 user@server

That command establishes a connection to your server, logs in as user user (you'll have to enter your password though, of course) and then starts a little SOCKS proxy on your server.

On your computer, all connections to port 3333 will be forwarded over the secure SSH channel and will then be forwarded by the proxy to their destination.

Now you'll have to configure the program you want to connect through that tunnel to use localhost, port 3333 as it's SOCKS server (if you have the choice, select SOCKS version 5).

Not many programs support SOCKS proxy forwarding natively (hardly any CLI programs). But there is a workaround for that: tsocks. It enables arbitrary programs which don't support the SOCKS protocol natively to establish connections via a SOCKS server.
How tsocks works

On your computer, install the tsocks program.

I won't go into detail about how this program works, but it basically does the following:

* Before the actual program is loaded tsocks loads its own shared library.
* This library overwrites the kernel's connect() function and replaces it with its own.
* Whenever the program tries to send a request the request is forwarded through your proxy server (and then over the secure tunnel).

All this is done through setting the environment variable LD_PRELOAD to /usr/lib/libtsocks.so.

The tsocks program itself is just a simple shell wrapper script. All the actual redirecting stuff is done via the library.
Editing the /etc/tsocks.conf

Now you'll have to edit the file /etc/tsocks.conf to relay all connections through your proxy. Open the file and delete all lines. Then enter just the following two lines:

server = 127.0.0.1
server_port = 3333

If you may not become root ...

... just enter the two lines from above into a file called .tsocks.conf and place it in your home directory. Then, write a little shell script:

#!/bin/sh

TSOCKS_CONF_FILE=$HOME/.tsocks.conf
export TSOCKS_CONF_FILE
exec tsocks "$@"

I call this script viaservername. Place this script in a directory contained in your $PATH and make it executable.
Tunneling Connections

For programs who natively support proxying connections (e.g. Mozilla Firefox) you can now set the proxy address to localhost port 3333. I don't recommend to do that for browsers; instead, use HTTP tunneling (see above).

All other programs which's connections you want to tunnel through your server are prefixed with tsocks. This would look like some of the following program calls (if you wrote a shell script, use that instead of tsocks):

tsocks dog http://www.google.com
tsocks netcat example.com 80
tsocks irssi -c irc.freenode.net -p 6667

If you call tsocks without parameters it executes a shell witht the LD_PRELOAD environment variable already set and exported. That means that every program called from this shell will be redirected through the external server and every subsehll started from this shell will also have the LD_PRELOAD variable set. So if you started tsocks directly after logging in all your traffic would be redirected through your external server.
Example

$ cat =myip
#!/bin/sh
lynx -dump http://tnx.nl/ip

$ ssh -fND 3333 xxx@feh # -f: goes to background after prompting for password
xxx@feh.name's password:

$ IP=`myip`; host $IP
Name: p54XXXX8B.dip.t-dialin.net
Address: 84.143.XXX.XXX

$ IP=`tsocks myip`; host $IP
16:15:23 libtsocks(26802): Call to connect received on completed request 3
Name: feh.name
Address: 217.160.108.109

Have fun!
© 2005-2006 Julius Plenz
Questions? Suggestions? Reviews? I love to receive email!
$Id: tunnel-everything.php 73 2006-03-02 12:16:36Z feh $


注：根据我对以上内容的理解，原来ssh的server端没打开转发功能也可以打开http代理：server端需要运行privoxy，而本地需登录到server上（-L方式）。

代理软件tsocks

这个软件有个最大的优点就是能让应用层软件透明的使用socks代理。据其官方说法，tsocks是透明的socks代理库（transparent socks proxying library）。偶研究了下其实现方法，大概是这个样子的：
首先在系统中安装上/lib/libtsocks.so这个库以及一个/usr/bin/tsocks；
/lib/libtsocks.so就是个库文件，被/usr/bin/tsocks使用；
/usr/bin/tsocks这个文件是个shell脚本，用的是/bin/sh，所以运行时有些bug：会报basename的错（basename -bash 出错），需要在文件中basename后加上“--”，使之成为“basename -- -bash”；这个脚本的作用是设置环境变量“$LD_PRELOAD”以及作一些提示（环境变量$LD_PRELOAD设置了程序运行前优先加载的动态链接库），具体的说，若原$LD_PRELOAD为空则设之为/lib/libtsocks.so，若不为空则在原$LD_PRELOAD前加上/lib/libtsocks.so，使之优先级最高；这样在运行时，先使用/lib/libtsocks.so，会将原有的网络连接函数connect()替换为修改后的connect()函数，使网络连接的所有通信数据都经过tsocks；以下是官方解释：
about: http://tsocks.sourceforge.net/about.php
tsocks Internally
tsocks is based on the 'shared library interceptor' concept. Through use of the LD_PRELOAD environment variable or the /etc/ld.so.preload file tsocks is automatically loaded into the process space of every executed program. From there it overrides the normal connect() function by providing its own. Thus when an application calls connect() to establish a TCP connection it instead passes control to tsocks. tsocks determines if the connection needs to be made via a SOCKS server (by checking /etc/tsocks.conf) and negotiates the connection if so (through use of the real connect() function )

以下是操作过程：
首先安装软件后配置/etc/tsocks.conf，以下是俺的配置文件：
# This is the configuration for libtsocks (transparent socks)
# Lines beginning with # and blank lines are ignored
#
# This sample configuration shows the simplest (and most common) use of
# tsocks. This is a basic LAN, this machine can access anything on the
# local ethernet (192.168.0.*) but anything else has to use the SOCKS version
# 4 server on the firewall. Further details can be found in the man pages,
# tsocks(8) and tsocks.conf(5) and a more complex example is presented in
# tsocks.conf.complex.example

# We can access 192.168.0.* directly
#local = 192.168.0.0/255.255.255.0
local = 192.168.***.0/255.255.255.0

# Otherwise we use the server
#server = 192.168.0.1
server = 127.0.0.1
server_type = 5
server_port = ****
配置文件简单明了，无需解释

运行tsocks的话，有3中方式，vi /usr/bin/tsocks，里面有详细解释，俺在这里还是把/usr/bin/tsocks贴出来吧：
#!/bin/sh

### A wrapper script for the tsocks(8) transparant socksification library.
### Written by Dag Wieers .
###
### There are 3 modes of operandi:
###
### * tsocks
###
### This will socksify the current program only.
### eg.
### [user@host ~]# tsocks telnet www.foo.org
###
### * tsocks [on|off]
###
### This will socksify the current shell (and childs).
### eg.
### [user@host ~]# source /usr/bin/tsocks on
### (user@host ~)# telnet www.foo.org
### [user@host ~]# source /usr/bin/tsocks off
###
### * tsocks
###
### This will create a new socksified shell.
### eg.
### [user@host ~]# tsocks
### (user@host ~)$ telnet www.foo.org
### (user@host ~)$ exit
### [user@host ~]#

PRG="$(basename -- $0)"
LIB="/lib/libtsocks.so"

function set_socks {
if [ -z "$LD_PRELOAD" ]; then
export LD_PRELOAD="$LIB"
elif ! echo "$LD_PRELOAD" | grep -q "$LIB"; then
export LD_PRELOAD="$LIB $LD_PRELOAD"
fi
}

function unset_socks {
export LD_PRELOAD="$(echo -n "$LD_PRELOAD" | sed "s|$LIB \?||")"
if [ -z "$LD_PRELOAD" ]; then
export -n LD_PRELOAD
fi
}


case "$1" in
on) set_socks;;
off) unset_socks;;
show|sh)
if echo "$LD_PRELOAD" | grep -q "$LIB"; then
echo "$PRG: This shell is socksified."
else
echo "$PRG: This shell is NOT socksified."
fi
;;
-h|-?) echo "$PRG: Please see tsocks(1) or read comment at top of $0"
exit 1
;;
'')
set_socks
# PS1="$(echo -n "$PS1" | tr \[\] \(\)) " ${SHELL:-/bin/sh};;
PS1="(\u@\h \W)\$ " ${SHELL:-/bin/sh}
;;
*) set_socks
exec "$@"
;;
esac

查看是否进入tsocks模式（俺姑且这么称呼它），可以：
tsocks sh或者tsocks show

没有root权限时怎么办？
（from http://www.plenz.com/tunnel-everything）

If you may not become root ...

... just enter the two lines from above into a file called .tsocks.conf and place it in your home directory. Then, write a little shell script:

#!/bin/sh

TSOCKS_CONF_FILE=$HOME/.tsocks.conf
export TSOCKS_CONF_FILE
exec tsocks "$@"

I call this script viaservername. Place this script in a directory contained in your $PATH and make it executable.

《开源》杂志：good

今天突然发现了《开源》杂志，关注了一下，很不错。
以前《开源》每次个我发邮件提醒我新一期的杂志发布了，我都没有理睬，没想到这个杂志还蛮有意思的，针对开源领域的一些大事，做些报道与分析，而且还介绍些蛮实用的技术，看来以后要多关注。

注：该杂志是Linux宝库（linuxpk.com）这个网站制作的，可以在其网站上免费下载《开源》的pdf版本，而且该网站的一些新闻可以rss订阅。

关于QQ的登录服务器选项

今天研究了下QQ登录的网络设置，可以设置代理，其中有个socks5代理，用ssh建立隧道后，应该可以通过设置socks5代理连上，但登录QQ时却不行，后来把代理类型改为http或浏览器类型而IP和端口都不改，居然可以登录，可能QQ把这个ssh隧道理解为http代理了吧

另外还有登录服务器选项，有“不使用高级选项”、“TCP类型”、“UDP”类型三种，自己试了下，在QQ刚开始登录时有好多连接，稳定下来后保持了两个连接：一个是https端口的连接，另一个分情况：
1. 不使用高级选项时，另一个连接用http端口
2. UDP时，8080端口
3. TCP时，https端口
看来还是TCP方式安全些：所有连接都用https

后来又用netstat看了下端口，好像也没什么规律，3种方式看不出有什么差别。。。

basename的invalid option错误的解决

运行 . tsocks on ，出现错误
basename: invalid option -- b
Try `basename --help' for more information.
于是直接 vi /usr/bin/tsocks，发现首行是 #!/bin/sh，于是运行sh进入sh（刚才是bash），再运行 .tsocks on 就没错了，原来是shell的原因，估计basename默认sh，而现在用bash，有些不兼容。虽然解决了，但这样感觉还是不好，于是继续google。
后来发现是“-”的问题，例如
basename -bash
后就提示无效参数 b
在中间加个 "--" 就好了
basename -- -bash 这样就没问题了
接下来就 vi /usr/bin/tsocks，找到basename,其后果然没“--”，加之，再执行
.tsocks on
就没问题了

NB:basename的作用就是截取全路径中的文件名，去除前缀，例如可从/usr/bin/tsocks返回tsocks。


后记：删除以短斜线“-”开头的文件时也可在文件名前添加一个“--”参数：
rm -- -foo
或者加“./”：
rm ./-foo
此外，删除以“\”开头的文件时，可以：
rm \\foo

scp命令好强大

刚发现scp原来可以在一台机子上控制另外两台机子相互间的文件互拷贝，而sftp只是在本地和服务器之间的交互。

如何保证ssh连接不因超时而断开（转载）

有两部分，首先
from http://www.webmasterworld.com/linux/3078346.htm
其中zCat的发言：
Theres also a setting "ServerAliveInterval #*$!" (where #*$! is a number of seconds) which you can add to your .ssh/config etc. , this makes the client refresh the connection periodically.


第二部分，
from http://drupal.star.bnl.gov/STAR/comp/sofi/facility-access/ssh-stable-con

SSH connection stability
Submitted by jeromel on Tue, 2006-12-19 16:58. Under: computing

IF

* Your SSH connections are closed from home
* You get disconnected from any nodes without any reasons?
* ... and you are a PuTTY user
* ... or an Uglix SSH client user

This page is for you. If you are another user, use different clients and so on, this page may still be informative and help you stabalize your connection (the same principles apply).

PuTTY users

PuTTY to connect to gateway (from a home connection), you have to

* set a session, be sure to enable SSH
* go to the 'Connection' menu and have the following options box checked
o Disable Nagle's algorithm (TCP_NODELAY option)
o Enable TCP keepalives (SO_KEEPALIVE option)
* Furthermore, in 'Connection' -> 'SSH' -> 'Tunnels' enable the option
（注意：这里的tunnels应该是X11）
o Enable X11 forwarding
o Enable MIT-Magic-Cookie-1
* Save the session

Documentation on those features (explanation for the interested) are added at the end of this document.


SSH Users

SSH users and owner of their system could first of all be sure to manipulate the SSH client configuration file and be sure settings are turned on by default. The client configuration is likely located as /etc/ssh_config or /usr/local/etc/ssh_config depending on where you have ssh installed.

But if you do NOT have access to the configuration file, the client can nonetheless pass on options from the command line. Those options would have the same name as they would appear in the config file.

Especially, KEEP_ALIVE is controlled via the SSH configuration option TCPKeepAlive.

% ssh -o TCPKeepAlive=yes

You will note in the next section that a spoofing issue exists with keep alive (I know it works well, but please consider the ServerAliveCountMax mechanism) so, you may use instead

% ssh -o TCPKeepAlive=no -o ServerAliveInterval=15

Note that the value 15 in our example is purely empirical. There are NO magic values and you need to test your connection and detect when (after what time) you get kicked out and disconnected and set the parameters from your client accordingly. Let's explain the default first and come back to this and a rule of thumb.

There are two relevant parameters (in addition of TCPKeepAlive):


ServerAliveInterval

Sets a timeout interval in seconds after which if no data has been received from the server, ssh will send a message through the encrypted channel to request a response from the server. The default is 0, indicating that these messages will not be sent to the server.

This option applies to protocol version 2 only.


ServerAliveCountMax

Sets the number of server alive messages (see above) which may be sent without ssh receiving any messages back from the server. If this threshold is reached while server alive messages are being sent, ssh will disconnect from the server, terminating the session. It is important to note that the use of server alive messages is very different from TCPKeepAlive (below). The server alive messages are sent through the encrypted channel and therefore will not be spoofable. The TCP keepalive option enabled by TCPKeepAlive is spoofable. The server alive mechanism is valuable when the client or server depend on knowing when a connection has become inactive.

The default value is 3. If, for example, ServerAliveInterval (above) is set to 15, and ServerAliveCountMax is left at the default, if the server becomes unresponsive ssh will disconnect after approximately 45 seconds.


In our example

% ssh -o TCPKeepAlive=no -o ServerAliveInterval=15

The recipe should be: if you get disconnected after N seconds, play with the above and be sure to set a

time of ServerAliveInterval*ServerAliveCountMax <= 0.8*N, N being the timeout. Since ServerAliveCountMax is typically not modified, in our example we assume the default value of 3 and therefore a a 3x15 = 45 seconds (and we guessed a disconnect every minute or so). If you set the value too low, the client will send to much "chatting" to the server and there will be a traffic impact.


Appendix
Nagle's algorithm

This was written based on this article.

RPC implementations on TCP should disable Nagle. This reduces average RPC request latency on TCP, and makes network trace tools work a little nicer.

Determines whether Nagle's algorithm is to be used. The Nagle's algorithm tries to conserve bandwidth by minimizing the number of segments that are sent. When applications wish to decrease network latency and increase performance, they can disable Nagle's algorithm (that is enable TCP_NODELAY). Data will be sent earlier, at the cost of an increase in bandwidth consumption.


KeepAlive

The KEEPALIVE option of the TCP/IP Protocol ensures that connections are kept alive even while they are idle. When a connection to a client is inactive for a period of time (the timeout period), the operating system sends KEEPALIVE packets at regular intervals. On most systems, the default timeout period is two hours (7,200,000 ms).

If the network hardware or software drops connections that have been idle for less than the two hour default, the Windows Client session will fail. KEEPALIVE timeouts are configured at the operating system level for all connections that have KEEPALIVE enabled.

If the network hardware or software (including firewalls) have a idle limit of one hour, then the KEEPALIVE timeout must be less than one hour. To rectify this situation TCP/IP KEEPALIVE settings can be lowered to fit inside the firewall limits. The implementation of TCP KEEPALIVE may vary from vendor to vendor. The original definition is quite old and described in RFC 1122.


MIT Magic cookie

To avoid unauthorized connections to your X display, the command xauth for encrypted X connections is widely used. When you login, a .Xauthority file is created in your home directory ($HOME). Even SSH initiate the creation of a magic cookie and without it, no display could be opened. Note that since the .Xauthority file IS the file containing the MIT Magic cookie, if you ever run out of disk quota or the file system is full, this file CANNOT be created or updated (even from the sshd impersonating the user) and consequently, no X connections can be opened.

The .Xauthority file sometimes contains information from older sessions, but this is not important, as a new key is created at every login session. The Xauthority is simple and powerful, and eliminates many of the security problems with X.



后记：
今天又在《开源》第11期上发现了一个Q&A：

ssh上来能不能不自动断线

修改自己HOME目录下的.bash_profile文件，加上
export TMOUT=1000000 (以秒为单位)
然后运行source .bash_profile

将putty配置从注册表中导出

Windows下，在putty保存某连接后，其信息是在注册表中的，用命令可以将其导出：
运行cmd后
REG EXPORT HKEY_CURRENT_USER\Software\SimonTatham PuTTY.config.reg
导出的PuTTY.config.reg文件即在cmd的命令中，拷贝到另外一个机子上，双击后即可导入。

rpmforge：好东西

这段时间在rhel5（x86_64）上装mercurial（想用hg命令），源上没有，在其官网上下载的又装好或是装上了却不能正常运行，最后在google里搜到了一个方法：安装rpmforge。
先装yum-priorities:
yum install yum-priorities

注意：在/etc/yum/pluginconf.d/priorities.conf中enabled=1而且/etc/yum.conf中plugins=1

接下来可以设置priority了，例如：
[rhel_dvd]
name=Red Hat Enterprise Linux $releasever-$basearch-Cluster
baseurl=ftp://IP/pub/rhel5/
enabled=1
priority=1
priority值越小，优先级越高。
一般的，
base, addons, updates, extras should be priority=1
centosplus, contrib should priority=2

接下来是rpmforge的安装：
先下载rpm安装包：
wget http://apt.sw.be/redhat/el5/en/x86_64/RPMS.dag/rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm
再导入key：rpm --import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt
然后验证：rpm -K rpmforge-release-0.3.6-1.el5.rf.*.rpm
并安装：rpm -i rpmforge-release-0.3.6-1.el5.rf.*.rpm
这下子在/etc/yum.repos.d中多了两个文件：rpmforge.repo和mirrors-rpmforge（原来rpmforge的作用就是安装一个repo并提供源，据说它提供的源是centos官方最信赖并推荐的源）。
下一步是设置priority=9（自己设）并测试一下：yum check-update
最后安装mercurial：
yum install mercurial
OK，一次成功

centos的源可作为rhel的源

可以完全把centos源的配置文件拿来给rhel用，过程入下：
cd /etc/yum.repos.d
cp rhel_local.repo rhel_local.repo.old
wget http://centos.ustc.edu.cn/CentOS-Base.repo.5
mv CentOS-Base.repo.5 rhel_local.repo
rpm –import http://centos.ustc.edu.cn/centos/RPM-GPG-KEY-CentOS-5
这时运行yum会出错：
http://centos.ustc.edu.cn/centos/5Server/os/x86_64/repodata/repomd.xml: [Errno 14] HTTP Error 404: Not Found
于是将rhel_local.repo中的$releasever全改为5，再运行yum就可以了


后记：
这样运行yum update还是不行，会出错：
...
--> Processing Conflict: yum conflicts yum-rhn-plugin < 0.5.2-1.el5
--> Finished Dependency Resolution
Error: yum conflicts with yum-rhn-plugin < 0.5.2-1.el5
解决方法是把rhel自带的yum相关包都卸载掉（yum-rhn-plugin这个包当然包含于其中），然后装上新的yum，就可以利用yum让rhel使用centos的源进行升级了

警告没有key的解决

yum安装时，出现警告
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 37017186

Public key for fonts-chinese-3.02-9.6.el5.noarch.rpm is not installed

则运行命令
rpm --import /etc/pki/rpm-gpg/RPM*
即可

后记：对于yum，添加一个新的源之后，要添加新的KEY，可以从网上下载后保存在/etc/pki/rpm-gpg/ 中，然后进入KEY所在的目录，运行 rpm --import KEY名，即可
yum和apt-get的一个区别就是apt-get在update一次后，把信息都保存在本地数据库中，以后每次安装或查询时就不用检查了，更新信息的话需要手动，信息实时性差一点，但速度更快，而yum是每次都从网上更新信息，实时性更强但速度要慢一些，更新信息是自动的。

/boot/备份后恢复出现问题及其解决

昨天把grub搞坏了，于是想在U盘中装系统从而把原系统挂载上去，搞了好久，终于在U盘上成功装上了grub，但进不了系统，所以只能在grub中用命令。
开始只是简单的
root (hdX,Y)
kernel /boot/XXX
initrd /boot/YYY
boot
启动后出现kernel panic，后来发现是没有识别出相应的磁盘，最后在kernel命令中加入 root=/dev/sda1启动（sda1是相应的磁盘分区），终于成功，看来是grub坏掉了，于是以root用户运行grub命令
grub
>root (hdX,Y)
>setup (hdX)
>quit
重启后正常。
看来要想恢复/boot/，仅仅把之前备份的boot文件夹拷贝回去是不够的，还需要安装grub到原磁盘分区，用grub命令即可，当然grub-install也行。

在U盘中安装系统

服务器grub坏了，而且又没有光驱，只好在U盘上制作一个系统。
开始时准备用dsl，这个系统默认用syslinux作为引导系统，它比grub小，但不能交互，它专门用于引导Windows的fat32格式，对应的还有isolinux（引导iso，ubuntu的livecd就是用的这个），pxelinux（引导pxe），extlinux（引导ext格式）等。
方法参见http://damnsmalllinux.org./wiki/index.php/Installing_to_a_USB_Flash_Drive
先在U盘中准备fat32分区，接着把dsl-embedded的镜像拷贝进去，之后再在命令行中运行命令syslinux -ma E: 这里的E为盘符，在这一步中刚开始我用自己的U盘，明明没编号E的设备，但默认编号却是F，结果运行不成功，后来强制改盘符为E还是不行，最后试着从这个U盘启动结果失败，看来我的U盘确实有问题；于是改着用别人的U盘，syslinux -ma E: 后从这个启动成功，想进入菜单按F2，想改菜单选项则修改syslinux.cfg文件。
其实U盘空间够大的话可以把Ubuntu的livecd的内容完全拷贝进U盘，然后改isolinux/isolinux.cfg为isolinux/syslinux.cfg，接下来还有安装syslinux和mtools等步骤。

由于不能交互，于是试着安装grub到U盘
开始用命令grub-install /dev/sda1没成功，于是将/boot/grub/下的几个stage1、stage2以及grub.conf和menu.lst文件拷贝到U盘后进入一个已有的grub，运行
root (hda1)
setup (hda1,0)
quit
即可，修改grub.conf，使启动选项正确，或者从命令交互式启动都可以。
成功！

接下来进入dsl后，发现居然识别不了硬盘！fdisk -l 只显示U盘分区，莫非是dsl所在分区为fat32格式的原因？算了，也没时间了，干脆在U盘里装一个完整的Ubuntu操作系统。


后记：昨天没搞完，今天继续。
最初准备在虚拟机中向U盘装Ubuntu，但可惜识别不出U盘，后来识别出了，但格不了，所以只好在物理磁盘上装。由于手上有个Ubuntu的光盘，所以用livecd向U盘装，但U盘还是格不了，没办法，只好又选择从网络安装（redhat有从ftp方式安装，而Debian系的可以从源安装），先进入install/netboot/ubuntu-installer/i386/文件夹（可以从iso文件中拷贝，也可以从网上的源中下载），弄到linux和initrd.gz两个文件，从这两个文件启动。接下来有一步选择源的位置，我选择手动输入了个中科大的源，一个填debian.ustc.edu.cn，另一个填/ubuntu/，整个过程速度比较快（估计自己挂载镜像，选择源时直接填IP和文件夹路径应该也可以），最后安装成功，而且grub也安装成功，但是从U盘启动后虽然可以进grub却不能正常启动Ubuntu系统。不过这样也好，只要有grub，就可以设置启动项了。
据说该U盘曾经被装过rhel5，可以启动系统但装不上grub。


在网上还看到一个软件：UNetbootin，设置一下后直接把livecd的iso拷贝进去就可以了，十分方便，以后有机会试试。

添加背景音乐到blog

今天试了半天，终于搞好了
网上说有两中方法：

<
bgsound
src="http://csatblogspotdotcom.googlepages.com/myfavorite.wma"
loop=infinite>

<
embed
width="200"
src="http://csatblogspotdotcom.googlepages.com/myfavorite.wma"
autostart="ture" loop="false" height="50">
< / embed>

但我试了下，只有第二种试成功了

最后想添加多首歌曲，可惜不识别m3u格式的文件，但网上有其它方法，比较复杂，没时间搞，放弃了

在 ~/.bashrc 中设置代理

直接在 ~/.bashrc 中加上
export http_proxy="IP:Port"
export ftp_proxy="IP:Port"
后 .或source 即可生效
这样的话，上网的应用程序都会通过这个代理上网

Device Drivers ---> Block devices ---> Loopback device support

Another way to do it is to download linux-2.6.18.tar.gz in
/root/.ketchup/ because ketchup seems to try checking the signature only
when the file has just been downloaded. (Not verified in the code
though.)

开源软件好哇

今天sourceforge给我发了一封年终的邮件，里面列了二十几个好软件，发现都是一些不错的软件，而且都是免费的，例如7zip、filezilla、notepad++，此外还提到了mingw。
其中7zip的压缩率比bzip2还高，而且解压比bzip2还快，只是压缩时比bzip慢，7zip有个很不错的特性：支持多线程压缩，如果是在多核的机器上则速度会快很多；7-zip软件本身支持多种格式包括rar格式的解压，我试着用了下，其解压速度和winrar不相上下，winrar支持的格式7-zip都支持，最后干脆把winrar卸了；
看了下filezilla的界面，感觉很不错，比FlashFXP好，搞不懂为什么FlashFXP这种软件，本身并不比filezilla好用，而且要用钱去买的，居然会有这么多人去用；
还有notepad++，还行，只是中文字体不怎么好看；
其实有很多很好的开源的免费软件，性能一点都不比我们平时用的盗版付费软件差，只是我们都不知道而已。以后应该多多使用这些开源软件：性能又好，而且又免费，不需要再使用盗版软件。

后记：
刚才发现了7zip的一个小缺点：
查看压缩包中的可读文档时只能用外部软件查看，而winrar自带文档编辑器，双击文件就可以打开阅读

利用HVM创建相应的PVM

用scp也行，但有点不太好：链接都变成了实际文件，占用更多空间
于是先把其中的文件打包然后传出HVM，再解压到镜像文件中：
tar jcf tmp.tar.bz2 /{root,dev,var,etc,usr,bin,sbin,lib}
scp tmp.tar.bz2 user@IP:/dir/
tar jxf tmp.tar.bz2 -C /mnt/img/
mkdir /mnt/img/{proc,sys,home,tmp}

每次重启eth设备号加1的解决

在xen配置文件中让MAC地址每次都随机确定，每次开机后就有一个新的MAC地址，导致每次重启后eth设备号加1（ubuntu8.04中），在网上搜了半天，可能是network-manager的原因，于是先卸载掉（在jailtime下载的一个ubuntu8.04镜像中就没这个network-manager，也没出现这个问题）。之后还要把文件/etc/udev/rules.d/70-persistent-net.rules中的各个MAC地址清空，重启后就会使用eth0.（/etc/udev/rules.d/75-persistent-generator-net.rules这个文件也是配置文件）
但这样做还是不行，下一次重启后还是会出现问题，最后我没找到合适的方法，只好在配置文件中把mac地址固定死。

还有一种不卸载network-manager的方法可以解决这个问题：在关机时把/etc/udev/rules.d/70-persistent-net.rules清空。