ChangeLog

25 September 2014

  • Updated OpenSim to 0.8.

4 May 2014

  • Updated website files to be compliant to standards.
  • Fixed error messages for IAR and OAR downloads.

27 April 2014

  • Clockwerk synced with OpenSim git, pulled upgrades and downloadable images are now indexed by date.

5 April 2014

  • Clockwerk now supports accessing the OpenSim console from the viewer or from the management webpage. This requires a fresh copy of the Clockwerk image to be downloaded. For more details on accessing the console from Clockwerk's management interface, please see OpenSim Console Access.

1 April 2014

  • Fixed IAR uploads (missing parameter from RAdmin).
  • Changes to Clockwerk website code.

1 March 2014

  • Release of Clockwerk.
  • Merged partitions and used the jfs filesystem.
  • Added clockwerk-upgrade, clockwerk-reset and clockwerk-configure commands that can be issued from login without changing directories.
  • Moved opensim to /srv/opensim.
  • Moved the tools to /srv/clockwerk.
  • Changed logo.

About

Clockwerk is the next generation of a self-contained Virtual Machine created and maintained by the Wizardry and Steamworks group that is configured and optimised to run a standalone hypergrid instance of OpenSim. OpenSim is not scalable when it comes to providing services to a large number of users. For example, when running a single instance of OpenSim and providing services to multiple users by allocating regions for them, the resource consumption seems to have a quadratic progression, where more and more resources are consumed, even for the slightest functionality of OpenSim. As an example of poor design is the fact that, by default, assets (images, audio clips, etc...) are never purged from the users' inventory, even if the users trash them and purge them in-world.

In order to avoid that, we have been designing virtual boxes that are supposed to make the resource consumption issue manageable by allowing administrators to allocate processors to each individual box. Furthermore, since the requirements state that languages such as C# have to be used within the Owls, and because OpenSim provides full-access to the filesystem allowing for simple path-traversal issues, we have found it unwise to run an OpenSim daemon on a multi-user machine (unless OpenSim would be chrooted).

Video Demonstration

Downloads

Downloads are provided for qemu, Virtual Box and VMWare.

Converting the Hard-Drive Image

Should you need to convert the image files, this can be achieved with with the qemu-img tool.

To VMWare
qemu-img convert -O vmdk "Clockwerk.qcow2" "Clockwerk.vmdk"
To Virtual Box
qemu-img convert -O vdi "Clockwerk.qcow2" "Clockwerk.vdi"

Access to Development Projects

All the code that we write and use is modular and available publicly under various OpenSource licenses from the follwing repositories:

Design

Our Owls to provide a scalable service to educators that teach natural sciences and provide governmental training. Due to the heterogeneous environment, where users with different backgrounds (for example, a physics lecturer and a chemistry lecturer) are meant to be able to access and use their grids asynchronously for teaching, an OpenSim architecture based on grid-wide services becomes unfeasible and even less desirable. That it mainly because of the load exerted onto the system when multiple users access the services (ie: Linden Labs have never fixed their group chat issue due to the fact that their grid-wide services receive so many asynchronous messages that Jabber bails out and is unable to process further requests).

We have a star-shaped topology where each grid is self-standing and, due to the hypergrid architecture of OpenSim, avatars are able to “hyperjump” from grid to grid while still maintaining most of the Virtual World functionality. There are certain limitations, such as the infamous “Suitcase” problem when an avatar hyperjumps to a different grid but they are being addressed. Thus, each of the grids can be accessed individually by creating an account local to the grid or by creating an account on the greeting grid and hyper-jumping to the other grids.

This topology scales well, given that educators do not want to be bothered by incoming travellers during lectures and that various activities may crash a grid. In that sense, we do not have a single point of failure. If one of the grids becomes compromised, then the rest of the grids will most-likely be up and running. The star-shaped topology also allows the distribution of grids across multiple machines, most of the work being done by a DNS server - it is not imperative that all the grids have to be hosted on the same machine, nor be placed in the same location.

OpenSim

Clockwerk is synchronized with the OpenSim development branch and includes a series of patches that have not been included in the mainstream OpenSim:

  • The disable IAR passwords patch which is conceptually flawed, given that such a patch has to be applied to Robust instead of the OpenSim core. This means that the Spectacled Owl is not suitable to be used in a grid-like environment. Nevertheless, we accept this patch because the Spectacled Owl is designed and tuned to run as a standalone hypergrid.
  • Clockwerk uses BulletSim physics instead of ODE. This results in a better performance when it comes to physical simulations and will most likely be used for simulators such as the Population Genetics and Selection (PGS) project.
  • Suspend and Resume is used to freeze OpenSim in case no avatars are present on the grid. This reduces the CPU load considerably and allows you to run many Owls in parallel. On the other hand, if computational simulations are meant to be run on the Spectacled Owl, you can remove /etc/cron.minutely/opensimpm and the Spectacled Owl will run without suspending. The suspend time is controlled by the firewall (see filesystem tree below), setting IDLETIMER to 600 (10 minutes) per default.
  • Time-dependent event handlers are patched such that LSL scripts that use listen, sensors, dataserver and timer will have a timing of $\approx 0.05s$ which is equivalent to the timing in SecondLife.

OpenSim Scripting Language ACLs

Clockwerk is OSSL friendly and all functions can be used on a simple ACL scheme devised by Wizardry and Steamworks. Contrary to the main development branch of OpenSim, Clockwerk disregards the “threat level” setting because it is ambiguous.

A good example of ambiguity or poor design is the osNpcStand function that makes an NPC stand. It is classed as a High threat function, which per OpenSim OSSL standards allows for:

“Casual abuse can cause impaired functionality or temporary denial of service conditions. Intentional abuse can easily cause crashes with potential data loss, or can be used to trick experienced and cautious users into unwanted situations, or changes global data permanently and without undo ability.” - OpenSim wiki, Threat Level

If making an NPC stand can cause all that, then that is very bad (no other way to express it). Cases such as DoS or access to global data should be handled by the developer of the osNpcStand function and not left in the air and the liability dumped onto the user. osNpcStand is just an example, out of many, that has absolutely no reason to cause any of the damage cited in the last passage.

Instead, Clockwerk imposes restrictions on each function individually, thereby strengthening the definition of OSSL security. All the OSSL functions are thus defined in OpenSim.ini and prefixed with Allow_.

Under most applications, many of these function's specified behavior should not be harmful to neither security nor privacy. Such functions are set to true, thereby allowing everybody access to them. As an example, Clockwerk by default grants full access to the prim-drawing OSSL functions, or the OSSL functions that gets a key from an avatar name. Under the assumption that they do not include bugs from upstream developers and that they conform to the documentation, they could not be used in a malicious manner.

Other functions that may leak some information, are set to PARCEL_GROUP_MEMBER meaning that they will only work if the land that a group is set to is the same as the group that the object is set to. If these two match, regardless of the owner of the object, all functions tagged with PARCEL_GROUP_MEMBER will work. For example, all the NPC-related OSSL functions are by default to PARCEL_GROUP_MEMBER.

Some functions such as the OSSL functions that handle parcel division and joining are set to PARCEL_OWNER meaning that the object has to be set to the parcel owner.

ESTATE_OWNER is a setting that indicates that the owner of the object using the OSSL function has to be the estate manager. This is the case for the region settings such as the estate sun settings, wind settings and even the OSSL function to get an agent's IP. Note that Clockwerk excludes grid architectures such that the estate owner has the same access as the physical owner of Clockwerk.

You can change the defaults as you see fit, however if you would like to see the changes pushed onto the update queue, please feel free to e-mail us.

Allow_osGetAgentIP = ESTATE_OWNER
Allow_osGetAgents = true
Allow_osKickAgent = PARCEL_GROUP_MEMBER
Allow_osTeleportAgent = PARCEL_GROUP_MEMBER
Allow_osCauseDamage = PARCEL_GROUP_MEMBER
Allow_osCauseHealing = PARCEL_GROUP_MEMBER
Allow_osGetHealth = PARCEL_GROUP_MEMBER
Allow_osGetAgents = PARCEL_GROUP_MEMBER
Allow_osGetSimulatorVersion = PARCEL_GROUP_MEMBER
Allow_osTeleportAgent = PARCEL_GROUP_MEMBER
Allow_osAvatarName2Key = true
Allow_osGetNotecard = true
Allow_osGetNotecardLine = true
Allow_osGetNumberOfNotecardLines = true
Allow_osMakeNotecard = true
Allow_osNpcCreate = PARCEL_GROUP_MEMBER
Allow_osNpcMoveTo = PARCEL_GROUP_MEMBER
Allow_osNpcMoveToTarget = PARCEL_GROUP_MEMBER
Allow_osNpcStopMoveToTarget = PARCEL_GROUP_MEMBER
Allow_osNpcSetRot = PARCEL_GROUP_MEMBER
Allow_osNpcGetRot = PARCEL_GROUP_MEMBER
Allow_osNpcGetPos = PARCEL_GROUP_MEMBER
Allow_osNpcRemove = PARCEL_GROUP_MEMBER
Allow_osNpcSay = PARCEL_GROUP_MEMBER
Allow_osNpcWhisper = PARCEL_GROUP_MEMBER
Allow_osNpcTouch = PARCEL_GROUP_MEMBER
Allow_osNpcIsNpc = PARCEL_GROUP_MEMBER
Allow_osNpcGetOwner = PARCEL_GROUP_MEMBER
Allow_osNpcSit = PARCEL_GROUP_MEMBER  
Allow_osNpcStand = PARCEL_GROUP_MEMBER
Allow_osOwnerSaveAppearance = PARCEL_GROUP_MEMBER
Allow_osNpcLoadAppearance = PARCEL_GROUP_MEMBER  
Allow_osNpcSaveAppearance = PARCEL_GROUP_MEMBER  
Allow_osAvatarPlayAnimation = PARCEL_GROUP_MEMBER
Allow_osAvatarStopSnimation = PARCEL_GROUP_MEMBER
Allow_osMessageObject = PARCEL_GROUP_MEMBER
Allow_osGetRezzingAgent = PARCEL_GROUP_MEMBER
Allow_osIsUUID = true
Allow_osListenRegex = PARCEL_GROUP_MEMBER
Allow_osMessageAttachments = PARCEL_GROUP_MEMBER
Allow_osMovePen = true
Allow_osDrawLine = true
Allow_osDrawText = true
Allow_osDrawEllipse = true
Allow_osDrawRectangle = true
Allow_osDrawFilledRectangle = true
Allow_osDrawPolygon = true
Allow_osDrawFilledPolygon = true
Allow_osDrawImage = true
Allow_osGetDrawStringSize = true
Allow_osSetFontName = true
Allow_osSetFontSize = true
Allow_osSetPenSize = true
Allow_osSetPenColor = true
Allow_osSetPenCap = true
Allow_osSetDynamicTextureData = true
Allow_osSetDynamicTextureDataBlend = true
Allow_osSetDynamicTextureDataBlendFace = true
Allow_osSetDynamicTextureURL = true
Allow_osSetDynamicTextureURLBlend = true
Allow_osSetDynamicTextureURLBlendFace = true
Allow_osParcelJoin = PARCEL_OWNER
Allow_osParcelSubdivide = PARCEL_OWNER
Allow_osSetParcelDetails = PARCEL_OWNER
Allow_osGetTerrainHeight = PARCEL_OWNER
Allow_osSetTerrainHeight = PARCEL_OWNER
Allow_osTerrainFlush = PARCEL_OWNER
Allow_osSetTerrainTeture = PARCEL_OWNER
Allow_osSetTerrainTextureHeight = PARCEL_OWNER
Allow_osSetRegionWaterHeight = ESTATE_OWNER
Allow_osSetRegionSunSettings = ESTATE_OWNER
Allow_osSetEstateSunSettings = ESTATE_OWNER
Allow_osGetCurrentSunHour = ESTATE_OWNER
Allow_osGetSunParam = ESTATE_OWNER
Allow_osSetSunParam = ESTATE_OWNER
Allow_osWindActiveModelPluginName = ESTATE_OWNER
Allow_osGetWindParam = ESTATE_OWNER
Allow_osSetWindParam = ESTATE_OWNER
Allow_osGetGridName = ESTATE_OWNER
Allow_osGetGridNick = ESTATE_OWNER
Allow_osGetGridLoginURI = ESTATE_OWNER
Allow_osGetGridHomeURI = ESTATE_OWNER
Allow_osGetGridGatekeeperURI = ESTATE_OWNER
Allow_osGetGridCustom = ESTATE_OWNER
Allow_osGetScriptEngineName = ESTATE_OWNER
Allow_osGetSimulatorVersion = ESTATE_OWNER
Allow_osGetSimulatorMemory = ESTATE_OWNER
Allow_osGetMapTexture = ESTATE_OWNER
Allow_osGetRegionMapTexture = ESTATE_OWNER
Allow_osGetRegionStats = ESTATE_OWNER
Allow_osLoadedCreationDate = ESTATE_OWNER
Allow_osLoadedCreationTime = ESTATE_OWNER
Allow_osLoadedCreationID = ESTATE_OWNER
Allow_osGetPhysicsEngineType = ESTATE_OWNER
Allow_osRegionNotice = ESTATE_OWNER
Allow_osRegionRestart = ESTATE_OWNER
Allow_osConsoleCommand = ESTATE_OWNER
Allow_osSetParcelMediaURL = PARCEL_GROUP_MEMBER
Allow_osSetPrimFloatOnWater = ESTATE_OWNER
Allow_osSetParcelSIPAddress = PARCEL_GROUP_MEMBER
Allow_osSetStateEvents = ESTATE_OWNER
Allow_osList2Double = true
Allow_osKey2Name = true
Allow_osFormatString = true
Allow_osMatchString = true
Allow_osUnixTimeToTimestamp = true
Allow_osParseJSON = true 
Allow_osParseJSONNew = true
Allow_osMax = true
Allow_osMin = true
Allow_osRegexIsMatch = true
Allow_osReplaceString = true
Allow_osSetContentType = true

Web Management Features

The web-interface that is displayed to connecting clients, is served by lighttpd from /var/www and has the following features:

  • Creating new accounts.
  • Downloading inventory archives (IARs).
  • Uploading inventory archives.
  • Downloading region archives (OARs).
  • Uploading region archives.

and is protected by CAPTCHAs. However, one major limitation and potential security concern for cross-domain logins is that not all viewers support displaying pages served over https, in which case passwords on account creation will be served over plaintext. In VIBE's case, we have IP-level limitations that block external access, especially to grids that have to be used by students which makes this security limitation trivial until viewer developers will be able to include serving pages over https.

The following privacy rules are implemented for IAR and OAR handling:

  • Every user can download and upload their own IAR file using the web-interface.
  • Every region owner can download and upload the OAR of the region they own using the web-interface.

OpenSim Console Access

Clockwerk allows access to the OpenSim console directly from the log-in screen of any compatible viewer. This allows grid-owners to manage their own regions by directly commanding OpenSim from a web-browser or any viewer that supports OpenSim.

This feature can be accessed from the log-in screen of Clockwerk by clicking the “Console” button. Clockwerk will then ask for a user-name and password. By default, the username is admin and the password is password) but these values can be changed by editing the /etc/guacamole/user-mapping.xml and changing the line:

<authorize username="admin" password="password">

in order to set an username and password. After that, Clockwerk needs to be reset and then grid-owners will be able to access their own OpenSim console.

The console can be accessed by visiting:

http://clockwerk-grid-hostname/guacamole

where Clockwerk will prompt for the username and password specified earlier.

Virtual Machine

The Virtual Machine is set-up so that it allows users to update the entire system from the Wizardry and Steamworks servers. Updates take place over SVN so that when we have an update, users can use a provided script to pull the changes and update the machine. The demonstration video shows an example update process of Clockwerk. Similarly, Wizardry and Steamworks provides a set of management tools that facilitate the management of Clockwerk.

Optimizations

Clockwerk includes a number of optimizations, including a custom kernel, network tweaks for broadband access and filesystem tweaks.

Kernel-level Tweaks

The kernel is compiled with and enables hugetables on boot as well as threaded IRQs. You can recompile the kernel by going to /usr/src/linux-image-3.2.51.

Sysctl Tweaks

sysctl tweaks are entered into the /etc/sysctl.d/local.conf file:

kernel.panic = 30
kernel.panic_on_oops = 30
kernel.sysrq = 0
kernel.core_uses_pid = 1
kernel.pid_max = 65536
kernel.randomize_va_space = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
vm.dirty_ratio = 60
vm.dirty_background_ratio = 2
vm.mmap_min_addr = 4096
vm.overcommit_ratio = 0
vm.overcommit_memory = 0
kernel.shmmax = 268435456
kernel.shmall = 268435456
vm.min_free_kbytes = 65536
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_syn_retries = 5
net.ipv4.tcp_synack_retries = 2
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv4.conf.all.log_martians = 0
net.ipv4.conf.default.log_martians = 0
net.ipv4.tcp_fin_timeout = 15
net.ipv4.tcp_keepalive_time = 300
net.ipv4.tcp_keepalive_probes = 5
net.ipv4.tcp_keepalive_intvl = 15
net.ipv4.tcp_slow_start_after_idle = 0
net.ipv4.conf.all.bootp_relay = 0
net.ipv4.conf.all.proxy_arp = 0
net.ipv4.tcp_dsack = 1
net.ipv4.tcp_sack = 1
net.ipv4.tcp_fack = 1
net.ipv4.tcp_timestamps = 1
net.ipv4.icmp_echo_ignore_all = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_rfc1337 = 1
net.ipv4.ip_no_pmtu_disc = 1
net.ipv4.tcp_congestion_control = htcp
net.ipv4.tcp_window_scaling = 1
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_filter = 1
net.ipv4.tcp_mem = 65536 131072 262144
net.ipv4.udp_mem = 65536 131072 262144
net.ipv4.tcp_rmem = 8192 87380 16777216
net.ipv4.udp_rmem_min = 16384
net.core.rmem_default = 131072
net.core.rmem_max = 16777216
net.ipv4.tcp_wmem = 8192 65536 16777216
net.ipv4.udp_wmem_min = 16384
net.core.wmem_default = 131072
net.core.wmem_max = 16777216
net.core.somaxconn = 32768
net.core.netdev_max_backlog = 4096
net.core.dev_weight = 64
net.core.optmem_max = 65536
net.ipv4.tcp_max_tw_buckets = 1440000
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_max_orphans = 16384
net.ipv4.tcp_orphan_retries = 0
net.ipv4.ipfrag_high_thresh = 524288
net.ipv4.ipfrag_low_thresh = 446464
net.ipv4.tcp_no_metrics_save = 1
net.ipv4.tcp_moderate_rcvbuf = 1
net.unix.max_dgram_qlen = 50
net.ipv4.neigh.default.gc_thresh3 = 2048
net.ipv4.neigh.default.gc_thresh2 = 1024
net.ipv4.neigh.default.gc_thresh1 = 32
net.ipv4.neigh.default.gc_interval = 30
net.ipv4.neigh.default.proxy_qlen = 96
net.ipv4.neigh.default.unres_qlen = 6
net.ipv4.tcp_ecn = 1
net.ipv4.tcp_ecn = 2
net.ipv4.tcp_reordering = 3
net.ipv4.tcp_retries2 = 15
net.ipv4.tcp_retries1 = 3
net.ipv4.route.flush = 1
net.ipv6.route.flush = 1
net.ipv4.tcp_mtu_probing=1
vm.dirty_background_ratio = 80
vm.dirty_ratio = 90
vm.dirty_expire_centisecs = 6000
vm.dirty_writeback_centisecs = 4000
kernel.sched_min_granularity_ns = 10000000
kernel.sched_wakeup_granularity_ns = 15000000
fs.suid_dumpable = 0

and they include a number of optimizations, such as decreasing the swapiness and network-level enhancements.

Filesytem Tweaks

Clockwerk mounts the root partition as jfs in order to optimize accesses to the MySQL database in /var. Compared to its predecessor, the Spectacled Owl, Clockwerk simplifies the filesystem by switching to only one working partition.

Hardware Requirements

To set-up the virtual machine, the Spectacled Owl needs a bridged network. The development machine used in the demonstration video has the following configuration:

Asset Value Comments
CPU 2 OpenSim tends to love CPUs, the more, the merrier.
RAM 2GB Seems to be sufficient even for large 15k primitive regions.
NET Bridge The Spectacled Owl needs a real IP, regardless if it is a class C address. It is possible to use iptables to NAT the ports from /srv/opensim/Regions/Regions.ini if the Spectacled Owl has to run behind a firewall.

Make sure to remove irrelevant hardware such as printers, floppy drives and other hardware from the Virtual Machine that would only overload the kernel and slow down the machine.

Passwords and Accounts

Description Value Comments
system root password password can be changed using passwd root
opensim account password password can be changed using passwd opensim
SSH port 54377 can be changed by editing /etc/sshd_config; set to 54377 to avoid automated attacks.
opensim mysql password *** no point in changing it since OpenSim connects over loopback.
console admin from web-interface password can be changed by editing /etc/guacamole/user-mapping.xml

Bundled Running Software Daemons

  • sshguard to prevent automated attacks.
  • The VMs include a software watchdog meant to reset the VM on kernel panics and hangs as well as high load.
  • lighttpd is serving the web-management pages.

Filesystem Structure

Some of the important folders are:

Folder Description
clockwerk-opensim-config Contains various configuration files for OpenSim.
clockwerk-opensim OpenSim sources with custom patches.
clockwerk-www The source of the web-based management interface.

the folders are pulled from Wizardry and Steamworks by the upgrade script and then injected into the Clockwerk virtual machine. This allows us to push development patches to our users and to tweak the virtual machine on each run. We understand that some users prefer their privacy (instead of our trojan horse and a gentleman's parole), in which case the entire clockwerk folder can be deleted and the machine will still function properly leaving updates (and forks) up to the user.

The /root filesystem is jfs.

upgrade and reset

Both scripts, upgrade and reset are written in Bash and menu-driven. The upgrade script prompts before making any change and if there are local changes it allows users to see what changed via SVN. It further allows users to accept those changes or reject them individually. The reset script is meant for re-initializing Clockwerk in order to provide a template for cloning using the virtualization software at hand and should never be run unless you intend to create a new grid.

assetcleaner

The asset cleaner is written in PHP and takes as parameter ALL the IARs and OARs of the grid. It will then connect to the OpenSim instance and track down any dangling references to assets, effectively wiping assets that are not used. For further details please consult the asset cleaner project page.

iardumper

The iardumper can be used to dump user inventories and pack them in IAR archives (which are zipped tape archives). Note that users can access their IARs at any time using the web-interface and that this tool is to be used by the administrator only.

iardumper is also triggered every day, and dumps the IARs of all avatars to /var/lib/iar using a path based on the avatar name. For example, iardumper will dump an avatar named “Test User” to /var/lib/iar/Test_User/Test_User.iar. This file is then used to serve IARs via the web-interface.

osstrap

osstrap runs on every startup and tries to guess the VM's IP address. It then proceeds to update OpenSim by setting the corresponding parameters in the various configuration files, and then start OpenSim on the first console. The project can be found on the osstrap project page.

firewall

The firewall script configures the firewall and stores it across reboots using persistent tables. A good suggestion is to move this script out of the way and to edit it manually unless you are comfortable with using our recommended settings.

#!/bin/bash
###########################################################################
##  Copyright (C) Wizardry and Steamworks 2014 - License: GNU GPLv3      ##
##  Please see: http://www.gnu.org/licenses/gpl.html for legal details,  ##
##  rights of fair usage, the disclaimer and warranty conditions.        ##
###########################################################################
 
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
 
# SSH Guard
iptables -N sshguard
iptables -A INPUT -j sshguard
ip6tables -A INPUT -j sshguard
# Drop by default
iptables -P INPUT DROP
# Always accept loopback
iptables -A INPUT -i lo -j ACCEPT
# Measure idle for suspend
iptables -A INPUT -i eth0 -p tcp -m multiport --dport 9000,80 -j IDLETIMER --timeout 600 --label clockwerk
# Shaping traffic
iptables -t mangle -A PREROUTING -p tcp --dport 9000 -j TOS --set-tos Minimize-Delay
iptables -t mangle -A PREROUTING -p udp --dport 9000 -j TOS --set-tos Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp --sport 9000 -j TOS --set-tos Minimize-Delay
iptables -t mangle -A PREROUTING -p udp --sport 9000 -j TOS --set-tos Minimize-Delay
# Accept related
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# SSH
iptables -A INPUT -i eth0 -p tcp --dport 54377 -j ACCEPT
# OpenSim
iptables -A INPUT -i eth0 -p tcp --dport 9000:9000 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 9000:9000 -j ACCEPT
# Web
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
# Samba
iptables -A INPUT -i eth0 -p tcp --dport 445 -j ACCEPT
 
# Save
iptables-save > /etc/iptables/rules.v4

The firewall allows one single region 9000, and you will have to edit it and change the rules to allow for more regions. The sshguard jump tables are important because they allow sshguard to block automated attacks to system services. Perhaps a good guide to fleshing the firewall is to consult the iptables FUSS page.

fix_file_permissions

This script is based on the fix file permissions script and is meant to periodically reset the appropriate permissions to the filesystem as if the system has been freshly installed.

Making Local Configuration Changes

Clockwerk uses one additional configuration file Clockwerk.ini that is placed under /srv/opensim. This file is included by OpenSim and any local preferences should be added to Clockwerk.ini instead of modifying the OpenSim configuration files directly. When you upgrade Clockwerk through clockwerk-upgrade the OpenSim configuration files will be overwritten (except for Regions.ini) but Clockwerk.ini will be preserved, thus making updates seamless.

Upgrading Clockwerk

To upgrade Clockwerk, log-in as root and issue clockwerk-upgrade. You will be prompted by a dialog-driven wizard that will pull all the latest changes from the Wizardry and Steamworks development branch and update the system.

The upgrade procedure proceeds in the following order:

  1. packages from uninstall-packages.txt are removed and packages from install-packages.txt are installed.
  2. the upgrade script calls aptitude upgrade in order to update the Debian distribution.
  3. the filesystem is injected with the tree in lib/fs which deploys system scripts (for example, the periodic suspend script clockwerk_pm).
  4. the opensim sources are pulled from the Wizardry and Steamworks repository and the user is prompted to upgrade OpenSim if any changes were made.
  5. the user is prompted to replace the OpenSim configuration files with updated versions from the Wizardry and Steamworks repository.
  6. the website pages used by OpenSim are updated if the user chooses to do so.
  7. the user is asked to apply the latest firewall changes.
  8. the upgrade script offers to restart OpenSim.

Any of these steps can be skipped by answering No. For example, it may be useful to update the firewall from the repositories, as a reference, but to create your own copy and modify it. The upgrade script allows you to do that.

Deploying Clockwerk

To create a brand-new template for cloning, log-in as root and issue clockwerk-reset. This will wipe Clockwerk, database, logs and other junk so that you can use your virtualization software to clone or make a template of the machine. Please remember to reset the MAC address of the network card when starting a new VM.

Contrast to Other Projects

The first project worth mentioning is Military Open Simulator Enterprise Strategy (MOSES). They have a similar set-up that Wizardry and Steamworks that we made for VIBE. There are a few differences between the Spectacled Owl and MOSES that are worth mentioning:

  • They use BSD for the guest system - which is a good choice considering that BSD screens most applications that are allowed into their distribution. On the other hand, BSD is slow paced and better performance can be achieved with Linux, albeit on the pretext of loosing stability. Nevertheless, our previous version, Snowy Owl made in 2011 was based on BSD and we have experienced more crashes than we do now.
  • Clockwerk can be updated without rolling out new VM templates, thus making development easier by injecting changes directly into the existing VMs.
  • MOSES uses grid-wide services, even though they virtualize their grids, which obviously backfires and introduces a single point of failure. Most problems are related to grid-services when they are accessed from many sources (ie: they span up to 117 grids). We have experienced the same OpenSim annoyances (reappearing primitives, minutes-long lag, etc...) on Science Sim, that also use grid-wide services.

The second project worth mentioning is Sim-on-a-Stick, that bundles OpenSim and a viewer, making OpenSim portable. This does resemble the Spectacled Owl, given that Sim-on-a-Stick is just the payload. It is possible to run the Spectacled Owl on an USB stick with a portable version of qemu.

Copyright

Clockwerk is a virtual machine that contains a bunch of software packages, none of which are proprietary (including any non-free, yet distributable software from the Debian Linux distribution). As such, the software on the Spectacled Owl distributed hard-drive is copyright to their respective owners. Wizardry and Steamworks contributes with software as well, indicated by the Wizardry and Steamworks copyright header, which is copyrighted to the Wizardry and Steamworks group under the GNU GPLv3 license or MIT license where indicated.

As far as our contributions go, you are allowed to freely distribute them, modify, distribute and sell them provided you have the agreement of the other involved contributors. Keep in mind that not all free-to-distribute licenses are also free to commercialise and that GNU GPLv3 does not mean public domain.

Index


opensim/clockwerk.txt · Last modified: 2017/02/22 18:30 (external edit)

Access website using Tor


For the copyright, license, warranty and privacy terms for the usage of this website please see the license and privacy pages.