25 September 2014
4 May 2014
27 April 2014
5 April 2014
1 April 2014
1 March 2014
clockwerk-configurecommands that can be issued from login without changing directories.
Clockwerk is the next generation of a self-contained Virtual Machine created and maintained by the Wizardry and Steamworks group that is configured and optimised to run a standalone hypergrid instance of OpenSim. OpenSim is not scalable when it comes to providing services to a large number of users. For example, when running a single instance of OpenSim and providing services to multiple users by allocating regions for them, the resource consumption seems to have a quadratic progression, where more and more resources are consumed, even for the slightest functionality of OpenSim. As an example of poor design is the fact that, by default, assets (images, audio clips, etc...) are never purged from the users' inventory, even if the users trash them and purge them in-world.
In order to avoid that, we have been designing virtual boxes that are supposed to make the resource consumption issue manageable by allowing administrators to allocate processors to each individual box. Furthermore, since the requirements state that languages such as
C# have to be used within the Owls, and because OpenSim provides full-access to the filesystem allowing for simple path-traversal issues, we have found it unwise to run an OpenSim daemon on a multi-user machine (unless OpenSim would be
Downloads are provided for
Virtual Box and
Should you need to convert the image files, this can be achieved with with the
qemu-img convert -O vmdk "Clockwerk.qcow2" "Clockwerk.vmdk"
qemu-img convert -O vdi "Clockwerk.qcow2" "Clockwerk.vdi"
All the code that we write and use is modular and available publicly under various OpenSource licenses from the follwing repositories:
Our Owls to provide a scalable service to educators that teach natural sciences and provide governmental training. Due to the heterogeneous environment, where users with different backgrounds (for example, a physics lecturer and a chemistry lecturer) are meant to be able to access and use their grids asynchronously for teaching, an OpenSim architecture based on grid-wide services becomes unfeasible and even less desirable. That it mainly because of the load exerted onto the system when multiple users access the services (ie: Linden Labs have never fixed their group chat issue due to the fact that their grid-wide services receive so many asynchronous messages that Jabber bails out and is unable to process further requests).
We have a star-shaped topology where each grid is self-standing and, due to the hypergrid architecture of OpenSim, avatars are able to “hyperjump” from grid to grid while still maintaining most of the Virtual World functionality. There are certain limitations, such as the infamous “Suitcase” problem when an avatar hyperjumps to a different grid but they are being addressed. Thus, each of the grids can be accessed individually by creating an account local to the grid or by creating an account on the greeting grid and hyper-jumping to the other grids.
This topology scales well, given that educators do not want to be bothered by incoming travellers during lectures and that various activities may crash a grid. In that sense, we do not have a single point of failure. If one of the grids becomes compromised, then the rest of the grids will most-likely be up and running. The star-shaped topology also allows the distribution of grids across multiple machines, most of the work being done by a DNS server - it is not imperative that all the grids have to be hosted on the same machine, nor be placed in the same location.
Clockwerk is synchronized with the OpenSim development branch and includes a series of patches that have not been included in the mainstream OpenSim:
/etc/cron.minutely/opensimpmand the Spectacled Owl will run without suspending. The suspend time is controlled by the firewall (see filesystem tree below), setting
600(10 minutes) per default.
timerwill have a timing of which is equivalent to the timing in SecondLife.
Clockwerk is OSSL friendly and all functions can be used on a simple ACL scheme devised by Wizardry and Steamworks. Contrary to the main development branch of OpenSim, Clockwerk disregards the “threat level” setting because it is ambiguous.
A good example of ambiguity or poor design is the
osNpcStand function that makes an NPC stand. It is classed as a
High threat function, which per OpenSim OSSL standards allows for:
“Casual abuse can cause impaired functionality or temporary denial of service conditions. Intentional abuse can easily cause crashes with potential data loss, or can be used to trick experienced and cautious users into unwanted situations, or changes global data permanently and without undo ability.” - OpenSim wiki, Threat Level
If making an NPC stand can cause all that, then that is very bad (no other way to express it). Cases such as DoS or access to global data should be handled by the developer of the
osNpcStand function and not left in the air and the liability dumped onto the user.
osNpcStand is just an example, out of many, that has absolutely no reason to cause any of the damage cited in the last passage.
Instead, Clockwerk imposes restrictions on each function individually, thereby strengthening the definition of OSSL security. All the OSSL functions are thus defined in
OpenSim.ini and prefixed with
Under most applications, many of these function's specified behavior should not be harmful to neither security nor privacy. Such functions are set to
true, thereby allowing everybody access to them. As an example, Clockwerk by default grants full access to the prim-drawing OSSL functions, or the OSSL functions that gets a key from an avatar name. Under the assumption that they do not include bugs from upstream developers and that they conform to the documentation, they could not be used in a malicious manner.
Other functions that may leak some information, are set to
PARCEL_GROUP_MEMBER meaning that they will only work if the land that a group is set to is the same as the group that the object is set to. If these two match, regardless of the owner of the object, all functions tagged with
PARCEL_GROUP_MEMBER will work. For example, all the NPC-related OSSL functions are by default to
Some functions such as the OSSL functions that handle parcel division and joining are set to
PARCEL_OWNER meaning that the object has to be set to the parcel owner.
ESTATE_OWNER is a setting that indicates that the owner of the object using the OSSL function has to be the estate manager. This is the case for the region settings such as the estate sun settings, wind settings and even the OSSL function to get an agent's IP. Note that Clockwerk excludes grid architectures such that the estate owner has the same access as the physical owner of Clockwerk.
You can change the defaults as you see fit, however if you would like to see the changes pushed onto the update queue, please feel free to e-mail us.
Allow_osGetAgentIP = ESTATE_OWNER Allow_osGetAgents = true Allow_osKickAgent = PARCEL_GROUP_MEMBER Allow_osTeleportAgent = PARCEL_GROUP_MEMBER Allow_osCauseDamage = PARCEL_GROUP_MEMBER Allow_osCauseHealing = PARCEL_GROUP_MEMBER Allow_osGetHealth = PARCEL_GROUP_MEMBER Allow_osGetAgents = PARCEL_GROUP_MEMBER Allow_osGetSimulatorVersion = PARCEL_GROUP_MEMBER Allow_osTeleportAgent = PARCEL_GROUP_MEMBER Allow_osAvatarName2Key = true Allow_osGetNotecard = true Allow_osGetNotecardLine = true Allow_osGetNumberOfNotecardLines = true Allow_osMakeNotecard = true Allow_osNpcCreate = PARCEL_GROUP_MEMBER Allow_osNpcMoveTo = PARCEL_GROUP_MEMBER Allow_osNpcMoveToTarget = PARCEL_GROUP_MEMBER Allow_osNpcStopMoveToTarget = PARCEL_GROUP_MEMBER Allow_osNpcSetRot = PARCEL_GROUP_MEMBER Allow_osNpcGetRot = PARCEL_GROUP_MEMBER Allow_osNpcGetPos = PARCEL_GROUP_MEMBER Allow_osNpcRemove = PARCEL_GROUP_MEMBER Allow_osNpcSay = PARCEL_GROUP_MEMBER Allow_osNpcWhisper = PARCEL_GROUP_MEMBER Allow_osNpcTouch = PARCEL_GROUP_MEMBER Allow_osNpcIsNpc = PARCEL_GROUP_MEMBER Allow_osNpcGetOwner = PARCEL_GROUP_MEMBER Allow_osNpcSit = PARCEL_GROUP_MEMBER Allow_osNpcStand = PARCEL_GROUP_MEMBER Allow_osOwnerSaveAppearance = PARCEL_GROUP_MEMBER Allow_osNpcLoadAppearance = PARCEL_GROUP_MEMBER Allow_osNpcSaveAppearance = PARCEL_GROUP_MEMBER Allow_osAvatarPlayAnimation = PARCEL_GROUP_MEMBER Allow_osAvatarStopSnimation = PARCEL_GROUP_MEMBER Allow_osMessageObject = PARCEL_GROUP_MEMBER Allow_osGetRezzingAgent = PARCEL_GROUP_MEMBER Allow_osIsUUID = true Allow_osListenRegex = PARCEL_GROUP_MEMBER Allow_osMessageAttachments = PARCEL_GROUP_MEMBER Allow_osMovePen = true Allow_osDrawLine = true Allow_osDrawText = true Allow_osDrawEllipse = true Allow_osDrawRectangle = true Allow_osDrawFilledRectangle = true Allow_osDrawPolygon = true Allow_osDrawFilledPolygon = true Allow_osDrawImage = true Allow_osGetDrawStringSize = true Allow_osSetFontName = true Allow_osSetFontSize = true Allow_osSetPenSize = true Allow_osSetPenColor = true Allow_osSetPenCap = true Allow_osSetDynamicTextureData = true Allow_osSetDynamicTextureDataBlend = true Allow_osSetDynamicTextureDataBlendFace = true Allow_osSetDynamicTextureURL = true Allow_osSetDynamicTextureURLBlend = true Allow_osSetDynamicTextureURLBlendFace = true Allow_osParcelJoin = PARCEL_OWNER Allow_osParcelSubdivide = PARCEL_OWNER Allow_osSetParcelDetails = PARCEL_OWNER Allow_osGetTerrainHeight = PARCEL_OWNER Allow_osSetTerrainHeight = PARCEL_OWNER Allow_osTerrainFlush = PARCEL_OWNER Allow_osSetTerrainTeture = PARCEL_OWNER Allow_osSetTerrainTextureHeight = PARCEL_OWNER Allow_osSetRegionWaterHeight = ESTATE_OWNER Allow_osSetRegionSunSettings = ESTATE_OWNER Allow_osSetEstateSunSettings = ESTATE_OWNER Allow_osGetCurrentSunHour = ESTATE_OWNER Allow_osGetSunParam = ESTATE_OWNER Allow_osSetSunParam = ESTATE_OWNER Allow_osWindActiveModelPluginName = ESTATE_OWNER Allow_osGetWindParam = ESTATE_OWNER Allow_osSetWindParam = ESTATE_OWNER Allow_osGetGridName = ESTATE_OWNER Allow_osGetGridNick = ESTATE_OWNER Allow_osGetGridLoginURI = ESTATE_OWNER Allow_osGetGridHomeURI = ESTATE_OWNER Allow_osGetGridGatekeeperURI = ESTATE_OWNER Allow_osGetGridCustom = ESTATE_OWNER Allow_osGetScriptEngineName = ESTATE_OWNER Allow_osGetSimulatorVersion = ESTATE_OWNER Allow_osGetSimulatorMemory = ESTATE_OWNER Allow_osGetMapTexture = ESTATE_OWNER Allow_osGetRegionMapTexture = ESTATE_OWNER Allow_osGetRegionStats = ESTATE_OWNER Allow_osLoadedCreationDate = ESTATE_OWNER Allow_osLoadedCreationTime = ESTATE_OWNER Allow_osLoadedCreationID = ESTATE_OWNER Allow_osGetPhysicsEngineType = ESTATE_OWNER Allow_osRegionNotice = ESTATE_OWNER Allow_osRegionRestart = ESTATE_OWNER Allow_osConsoleCommand = ESTATE_OWNER Allow_osSetParcelMediaURL = PARCEL_GROUP_MEMBER Allow_osSetPrimFloatOnWater = ESTATE_OWNER Allow_osSetParcelSIPAddress = PARCEL_GROUP_MEMBER Allow_osSetStateEvents = ESTATE_OWNER Allow_osList2Double = true Allow_osKey2Name = true Allow_osFormatString = true Allow_osMatchString = true Allow_osUnixTimeToTimestamp = true Allow_osParseJSON = true Allow_osParseJSONNew = true Allow_osMax = true Allow_osMin = true Allow_osRegexIsMatch = true Allow_osReplaceString = true Allow_osSetContentType = true
The web-interface that is displayed to connecting clients, is served by
/var/www and has the following features:
and is protected by CAPTCHAs. However, one major limitation and potential security concern for cross-domain logins is that not all viewers support displaying pages served over
https, in which case passwords on account creation will be served over plaintext. In VIBE's case, we have IP-level limitations that block external access, especially to grids that have to be used by students which makes this security limitation trivial until viewer developers will be able to include serving pages over
The following privacy rules are implemented for IAR and OAR handling:
Clockwerk allows access to the OpenSim console directly from the log-in screen of any compatible viewer. This allows grid-owners to manage their own regions by directly commanding OpenSim from a web-browser or any viewer that supports OpenSim.
This feature can be accessed from the log-in screen of Clockwerk by clicking the “Console” button. Clockwerk will then ask for a user-name and password. By default, the username is
admin and the password is
password) but these values can be changed by editing the
/etc/guacamole/user-mapping.xml and changing the line:
<authorize username="admin" password="password">
in order to set an username and password. After that, Clockwerk needs to be reset and then grid-owners will be able to access their own OpenSim console.
The console can be accessed by visiting:
where Clockwerk will prompt for the username and password specified earlier.
The Virtual Machine is set-up so that it allows users to update the entire system from the Wizardry and Steamworks servers. Updates take place over
SVN so that when we have an update, users can use a provided script to pull the changes and update the machine. The demonstration video shows an example update process of Clockwerk. Similarly, Wizardry and Steamworks provides a set of management tools that facilitate the management of Clockwerk.
Clockwerk includes a number of optimizations, including a custom kernel, network tweaks for broadband access and filesystem tweaks.
The kernel is compiled with and enables
hugetables on boot as well as threaded
IRQs. You can recompile the kernel by going to
sysctl tweaks are entered into the
kernel.panic = 30 kernel.panic_on_oops = 30 kernel.sysrq = 0 kernel.core_uses_pid = 1 kernel.pid_max = 65536 kernel.randomize_va_space = 1 kernel.msgmnb = 65536 kernel.msgmax = 65536 vm.dirty_ratio = 60 vm.dirty_background_ratio = 2 vm.mmap_min_addr = 4096 vm.overcommit_ratio = 0 vm.overcommit_memory = 0 kernel.shmmax = 268435456 kernel.shmall = 268435456 vm.min_free_kbytes = 65536 net.ipv4.tcp_syncookies = 1 net.ipv4.tcp_syn_retries = 5 net.ipv4.tcp_synack_retries = 2 net.ipv4.tcp_max_syn_backlog = 4096 net.ipv4.ip_forward = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.all.accept_source_route = 0 net.ipv4.conf.default.accept_source_route = 0 net.ipv6.conf.all.accept_source_route = 0 net.ipv6.conf.default.accept_source_route = 0 net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv6.conf.all.accept_redirects = 0 net.ipv6.conf.default.accept_redirects = 0 net.ipv4.conf.all.log_martians = 0 net.ipv4.conf.default.log_martians = 0 net.ipv4.tcp_fin_timeout = 15 net.ipv4.tcp_keepalive_time = 300 net.ipv4.tcp_keepalive_probes = 5 net.ipv4.tcp_keepalive_intvl = 15 net.ipv4.tcp_slow_start_after_idle = 0 net.ipv4.conf.all.bootp_relay = 0 net.ipv4.conf.all.proxy_arp = 0 net.ipv4.tcp_dsack = 1 net.ipv4.tcp_sack = 1 net.ipv4.tcp_fack = 1 net.ipv4.tcp_timestamps = 1 net.ipv4.icmp_echo_ignore_all = 0 net.ipv4.icmp_echo_ignore_broadcasts = 1 net.ipv4.icmp_ignore_bogus_error_responses = 1 net.ipv4.tcp_rfc1337 = 1 net.ipv4.ip_no_pmtu_disc = 1 net.ipv4.tcp_congestion_control = htcp net.ipv4.tcp_window_scaling = 1 net.ipv4.conf.all.arp_ignore = 1 net.ipv4.conf.all.arp_filter = 1 net.ipv4.tcp_mem = 65536 131072 262144 net.ipv4.udp_mem = 65536 131072 262144 net.ipv4.tcp_rmem = 8192 87380 16777216 net.ipv4.udp_rmem_min = 16384 net.core.rmem_default = 131072 net.core.rmem_max = 16777216 net.ipv4.tcp_wmem = 8192 65536 16777216 net.ipv4.udp_wmem_min = 16384 net.core.wmem_default = 131072 net.core.wmem_max = 16777216 net.core.somaxconn = 32768 net.core.netdev_max_backlog = 4096 net.core.dev_weight = 64 net.core.optmem_max = 65536 net.ipv4.tcp_max_tw_buckets = 1440000 net.ipv4.tcp_tw_recycle = 1 net.ipv4.tcp_tw_reuse = 1 net.ipv4.tcp_max_orphans = 16384 net.ipv4.tcp_orphan_retries = 0 net.ipv4.ipfrag_high_thresh = 524288 net.ipv4.ipfrag_low_thresh = 446464 net.ipv4.tcp_no_metrics_save = 1 net.ipv4.tcp_moderate_rcvbuf = 1 net.unix.max_dgram_qlen = 50 net.ipv4.neigh.default.gc_thresh3 = 2048 net.ipv4.neigh.default.gc_thresh2 = 1024 net.ipv4.neigh.default.gc_thresh1 = 32 net.ipv4.neigh.default.gc_interval = 30 net.ipv4.neigh.default.proxy_qlen = 96 net.ipv4.neigh.default.unres_qlen = 6 net.ipv4.tcp_ecn = 1 net.ipv4.tcp_ecn = 2 net.ipv4.tcp_reordering = 3 net.ipv4.tcp_retries2 = 15 net.ipv4.tcp_retries1 = 3 net.ipv4.route.flush = 1 net.ipv6.route.flush = 1 net.ipv4.tcp_mtu_probing=1 vm.dirty_background_ratio = 80 vm.dirty_ratio = 90 vm.dirty_expire_centisecs = 6000 vm.dirty_writeback_centisecs = 4000 kernel.sched_min_granularity_ns = 10000000 kernel.sched_wakeup_granularity_ns = 15000000 fs.suid_dumpable = 0
and they include a number of optimizations, such as decreasing the swapiness and network-level enhancements.
Clockwerk mounts the root partition as
jfs in order to optimize accesses to the MySQL database in
/var. Compared to its predecessor, the Spectacled Owl, Clockwerk simplifies the filesystem by switching to only one working partition.
To set-up the virtual machine, the Spectacled Owl needs a bridged network. The development machine used in the demonstration video has the following configuration:
| || ||OpenSim tends to love CPUs, the more, the merrier.|
| || ||Seems to be sufficient even for large 15k primitive regions.|
| ||Bridge|| The Spectacled Owl needs a real IP, regardless if it is a class
Make sure to remove irrelevant hardware such as printers, floppy drives and other hardware from the Virtual Machine that would only overload the kernel and slow down the machine.
|system root password|| || can be changed using
|opensim account password|| || can be changed using
|SSH port|| || can be changed by editing
|opensim mysql password|| || no point in changing it since
|console admin from web-interface|| || can be changed by editing
Some of the important folders are:
| ||Contains various configuration files for OpenSim.|
| ||OpenSim sources with custom patches.|
| ||The source of the web-based management interface.|
the folders are pulled from Wizardry and Steamworks by the
upgrade script and then injected into the Clockwerk virtual machine. This allows us to push development patches to our users and to tweak the virtual machine on each run. We understand that some users prefer their privacy (instead of our trojan horse and a gentleman's parole), in which case the entire
clockwerk folder can be deleted and the machine will still function properly leaving updates (and forks) up to the user.
/root filesystem is
reset are written in
Bash and menu-driven. The
upgrade script prompts before making any change and if there are local changes it allows users to see what changed via SVN. It further allows users to accept those changes or reject them individually. The
reset script is meant for re-initializing Clockwerk in order to provide a template for cloning using the virtualization software at hand and should never be run unless you intend to create a new grid.
The asset cleaner is written in
PHP and takes as parameter
OARs of the grid. It will then connect to the OpenSim instance and track down any dangling references to assets, effectively wiping assets that are not used. For further details please consult the asset cleaner project page.
iardumper can be used to dump user inventories and pack them in
IAR archives (which are zipped tape archives). Note that users can access their
IARs at any time using the web-interface and that this tool is to be used by the administrator only.
iardumper is also triggered every day, and dumps the
IARs of all avatars to
/var/lib/iar using a path based on the avatar name. For example,
iardumper will dump an avatar named “Test User” to
/var/lib/iar/Test_User/Test_User.iar. This file is then used to serve
IARs via the web-interface.
osstrap runs on every startup and tries to guess the VM's
IP address. It then proceeds to update OpenSim by setting the corresponding parameters in the various configuration files, and then start OpenSim on the first console. The project can be found on the osstrap project page.
firewall script configures the firewall and stores it across reboots using persistent tables. A good suggestion is to move this script out of the way and to edit it manually unless you are comfortable with using our recommended settings.
#!/bin/bash ########################################################################### ## Copyright (C) Wizardry and Steamworks 2014 - License: GNU GPLv3 ## ## Please see: http://www.gnu.org/licenses/gpl.html for legal details, ## ## rights of fair usage, the disclaimer and warranty conditions. ## ########################################################################### iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X # SSH Guard iptables -N sshguard iptables -A INPUT -j sshguard ip6tables -A INPUT -j sshguard # Drop by default iptables -P INPUT DROP # Always accept loopback iptables -A INPUT -i lo -j ACCEPT # Measure idle for suspend iptables -A INPUT -i eth0 -p tcp -m multiport --dport 9000,80 -j IDLETIMER --timeout 600 --label clockwerk # Shaping traffic iptables -t mangle -A PREROUTING -p tcp --dport 9000 -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p udp --dport 9000 -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p tcp --sport 9000 -j TOS --set-tos Minimize-Delay iptables -t mangle -A PREROUTING -p udp --sport 9000 -j TOS --set-tos Minimize-Delay # Accept related iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # SSH iptables -A INPUT -i eth0 -p tcp --dport 54377 -j ACCEPT # OpenSim iptables -A INPUT -i eth0 -p tcp --dport 9000:9000 -j ACCEPT iptables -A INPUT -i eth0 -p udp --dport 9000:9000 -j ACCEPT # Web iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT # Samba iptables -A INPUT -i eth0 -p tcp --dport 445 -j ACCEPT # Save iptables-save > /etc/iptables/rules.v4
The firewall allows one single region
9000, and you will have to edit it and change the rules to allow for more regions. The
sshguard jump tables are important because they allow
sshguard to block automated attacks to system services. Perhaps a good guide to fleshing the firewall is to consult the iptables FUSS page.
This script is based on the fix file permissions script and is meant to periodically reset the appropriate permissions to the filesystem as if the system has been freshly installed.
Clockwerk uses one additional configuration file
Clockwerk.ini that is placed under
/srv/opensim. This file is included by OpenSim and any local preferences should be added to
Clockwerk.ini instead of modifying the OpenSim configuration files directly. When you upgrade Clockwerk through
clockwerk-upgrade the OpenSim configuration files will be overwritten (except for
Clockwerk.ini will be preserved, thus making updates seamless.
To upgrade Clockwerk, log-in as
root and issue
clockwerk-upgrade. You will be prompted by a dialog-driven wizard that will pull all the latest changes from the Wizardry and Steamworks development branch and update the system.
The upgrade procedure proceeds in the following order:
uninstall-packages.txtare removed and packages from
aptitude upgradein order to update the Debian distribution.
lib/fswhich deploys system scripts (for example, the periodic suspend script
Any of these steps can be skipped by answering
No. For example, it may be useful to update the firewall from the repositories, as a reference, but to create your own copy and modify it. The upgrade script allows you to do that.
To create a brand-new template for cloning, log-in as root and issue
clockwerk-reset. This will wipe Clockwerk, database, logs and other junk so that you can use your virtualization software to clone or make a template of the machine. Please remember to reset the
MAC address of the network card when starting a new VM.
The first project worth mentioning is Military Open Simulator Enterprise Strategy (MOSES). They have a similar set-up that Wizardry and Steamworks that we made for VIBE. There are a few differences between the Spectacled Owl and MOSES that are worth mentioning:
The second project worth mentioning is Sim-on-a-Stick, that bundles OpenSim and a viewer, making OpenSim portable. This does resemble the Spectacled Owl, given that Sim-on-a-Stick is just the payload. It is possible to run the Spectacled Owl on an USB stick with a portable version of
Clockwerk is a virtual machine that contains a bunch of software packages, none of which are proprietary (including any non-free, yet distributable software from the Debian Linux distribution). As such, the software on the Spectacled Owl distributed hard-drive is copyright to their respective owners. Wizardry and Steamworks contributes with software as well, indicated by the Wizardry and Steamworks copyright header, which is copyrighted to the Wizardry and Steamworks group under the GNU GPLv3 license or MIT license where indicated.
As far as our contributions go, you are allowed to freely distribute them, modify, distribute and sell them provided you have the agreement of the other involved contributors. Keep in mind that not all free-to-distribute licenses are also free to commercialise and that GNU GPLv3 does not mean public domain.