Computer Science, Information Management, Data Science & Artificial Intelligence

Prospective students

Details
Category: Uncategorised

You can print on many printers around the campus if you install the special software that works with Ricoh printers.

There are printers available at Admissions, AIT Center reception, AIT IS, EEM room w127, Energy room 204, AIT Extension, HR, ISE, Library, OFAM, Purchasing, SET room n230, TC, WEM room w203, Yunus center, and others.

Not all printers are accessible to everyone, not all printers are accessible 24/7, Library ones are available at the Library opening hours.

Before you use any  of the printers, you need to configure the software. Once the printer is configured, it will be working when you are connected in CSIM or anywhere in AIT.

For Linux and MacOS, see at the bottom of this page.

 Installing the software on Windows

1. Search for Run (or type ⊞ Win+R) to launch a command.
2. Type \\10.52.5.20 to access the print server.
 3. Enter the username 1234 and the password 1234.
Select Remember my credentials
And click OK.
Note: the username and password are the four digits 1234, not your own username or password.
4. Double click on the folder Ricoh Document.
5. Double click on MapPrinter student popup to launch the installer.
6. Click on Run to accept the installation of the software.
A new printer will be added to your computer.
7. Configure the new printer AITPrint_Popup on 10.52.5.20
Right click on the printer and select Printing preferences
8. Click on Authentication...
9. Type you AIT account name in Enter Login User Name:
For students it will be something like st123456.
Do not enter your password.
Click OK and close all the windows.

Printing

Use the printer AITPrint_Popup on 10.52.5.20 like any other printer on Windows.

Each time you print a document, the Authentication popup will show, like on point 9, above, just click OK.

You print job has been queued and now you can go to a printer to do the physical printing.

Using your AIT ID card

The first time you print a document, you can register your AIT ID card with the system. Once your  card is registered, you will only have to wave your card at one of the printer to collect your documents.

Note: Only use your personal, actual AIT ID card, do not use the card of a friend, do not use the card from last year, do not use the card of your condo or your ATM card. The system does not check the card, but it will in the future.

If you are issued a new card, swipe it on a printer and proceed to associate it to your account. You can only have one card associated to your name at any given time.

1. Insert your AIT ID card in the card reader of one printer.
The card reader is located on the right, under the control panel of the printer.
2. If the system has never seen that card before, you must authenticate. to associate the card to your name.
Use your AIT username st123456 and AIT password.
Click on Associate card.
Your card is saved in the system.
3. The system display the list of pending jobs.
Click on Print release.
Do not forget to Log out when you are done printing.
4. Next time you need to print, just swipe your card on any printer and you will be redirected to step 3. automatically.  

Installing the printer for Linux or MacOS

I could not test the following solution for MacOS (for lack of Apple system), but it should work the same as for Linux. It should also work for any other flavour of Unix.

To use the printers disseminated in AIT, you need to add a new printer to your computer, with the following settings:

Network printer
LPD/LPR Host or Printer
Host
st123456@10.52.5.20
Note: It is very important that you use your AIT username in front of the host IP address. On your laptop, you have a username that is not your AIT student ID, maybe you use your first name or your nick name... This name is unknown in AIT systems, so you must indicate that you will be printing using that specific AIT username.
Anyone printing with your laptop will be using your account and your quota.
Queue
AITPrint
Be careful to use the proper upper and lower cases.
Makes
Ricoh
Model
IM C2000
Driver
Ricoh IM C2000 PS [en](recommended)

Note: do not print a test page, on Linux it prints a two sided colour page, that will count for 20 pages on your quota.

Using your AIT ID card to release the print jobs is the same as for Windows users above

Details
Category: Uncategorised

We have three servers that can be used to run docker containers: puffer.cs.ait.ac.th, gourami.cs.ait.ac.th and guppy.cs.ait.ac.th. See the hardware configuration at the bottom of this page.

Using JupyterHub

Any user of CSIM and DSAI can access any of these servers through a JupyterHub interface to run Python notebooks. (At the moment, guppy is not available).

There is no further restriction.

Running containers manually

See important points about the migration of your existing containers and data.

Students enrolled in Machine Learning courses can also access the server directly via SSH and manually run their own containers. But security concerns arise when students run container under the default root username.

You must run your containers under your own username and groupname: To launch a docker container, user the option -u or --user in your command:

docker run -u $(id -u):$(id -g) ...

Container that run under root username are stopped automatically. 

As a direct consequence, your container will not be able to use docker volume. Instead you can use storage on your main home directory or in a dedicated directory in /home2.

Using your home directory

After you SSH'ed to one of the servers, use the command:

docker run -u $(id -u):$(id -g) -v `pwd`:/app ...

and your container will be able to save data in the directory /app, The data will be accessible from your home directory from any machine on CSIM network.

Using your home directory is slow because the data are stored on the network, but the data are readily accessible from any machine.

Data saved in your homedirectory will be limited by the quota on your account. Use the command quota -s or go to the account management page.

See important points about the migration of your existing containers and data.

Using a local directory in /home2

You can create a personal directory in /home2. It will be faster to use because it does not cross the network, but will only be accessible from that single server.

First step is to create the directory:

mkdir /home2/st123456

You must use your own username for the directory. Any directory with a name that does not correspond to a username will be made unavailable.

Then launch your container:

docker run -u $(id -u):$(id -g) -v /home2/st123456:/app ...

Similarly, your container will be able to save data in the directory /app and when not using a container, the data will be accessible in /home2/st123456.

There is no limit on the size of the data you can use, but the space is still limited to the size of the disks on the servers. Also consider that larger data may exceed the capacity of our backup.

See important points about the migration of your existing containers and data.

Migration

Even though the new policy will not be enabled immediately, you can start applying it from now-on. That may give you some amount of time to iron-out any problem.

There are few considerations you should be aware of when the new policy is enabled.

Migration of your containers

When the policy is enabled, containers currently running under root username will be allowed to continue until their termination. But you will not be able to run them again once they have stopped. 

Migration of your data

Data created before enabling the policy belong to the user root. You may not be able to access the data anymore. Please This email address is being protected from spambots. You need JavaScript enabled to view it. to correct the problem.

Container and data end of life

When your account with CSIM or DSAI expires, any of your container still running will be terminated automatically.

If the size of your data on the servers is not excessive, the data will be preserved, else, data created on the servers, via JupyterHub or in /home2 will be lost.

If the space in /home2 is being exhausted and other users cannot save data anymore, we may have to remove the data from the largest user.

Hardware of the servers

puffer 32 x CPU, 64GB memory, 4 x NVIDIA GeForce RTX 2080 Ti
gourami 8 x CPU, 32 GB memory, 2 x NVIDIA GeForce GTX 1080 Ti
guppy 8 x CPU, 15GB memory, 2 x NVIDIA GeForce GTX 1080 Ti

Powered by: Docker JupyterHub
Details
Category: Uncategorised

Network Access Gateway at CSIM is based on ZeroShell.

Use the following URL

With the new firewall, the IP address has changed, please use the following URL:

https://192.41.170.54:12081/cgi-bin/zscp?Section=CPAuth&Action=Show&ZSCPRedirect=www.cs.ait.ac.th:::https://www.cs.ait.ac.th/

and update your bookmark.

Network Access

The Computer Crime Act B.E. 2550 of Thailand requires that any person access Internet is properly identified. In order to fulfill this requirement, you must authenticate to the network access gateway before you can access any Internet resource outside of AIT (inside AIT is any IP addresses 192.41.170/24 and 203.159/18, AIT web site is hosted in the cloud and therefore is outside of AIT).

Authentication is performed on the web; the first time you access an external web page from a given computer, you are presented with the gateway page:

You should use your CSIM account and password to authenticate. Alternatively, you can click on the X509 Login button.

Once authenticated, a pop-up window will open. You must allow this pop-up window as it will maintain your computer authenticated to the gateway. If the pop-up window dies for any reason, the authentication will automatically expire within less than 10 minutes.

Once authenticated, you can access any Internet resource. The authentication will remain as long as the pop-up window is alive.

Every ten minutes, the pop-up will send authentication renewal message to the access gateway; in case the gateway does not receive a renewal message, the connection dies; this prevents the next user to steal an open connection associated to a given IP address.

X509 Login

As an alternative to username and password, you can use a X509 identity to login. X509 login is easier and simpler: once configured, you only need to click on the button. This proves very useful in the case of mobile devices like smartphones.

An X509 identity associates a public key (from a private/public encryption system) and the identity of the owner of the key: I hereby certify that this key 56ABG-YUT54-8WSHU7-IYI77 belongs to Mr Olivier Nicole from AIT/CSIM. That X509 identity is then recognized by our firewall.

You can either create your X509 automatically or you can create it manually.

Security wise, X509 certificates are not flawless, but in the case of authentication for network access gateway, it is acceptable. It also means that your CSIM password is not stored in your computer; anyone accessing your computer will not be able to steal your CSIM password. But anyone who access your account on your computer will still be able to access Internet under your name.

Create your X509 automatically

Simply go to CSIM account management page and fill in the password for X509 identity. The Certificate will be sent to you by email in your CSIM mailbox. This is fast and easy.

You can download the file from your email and install your X509 identity. The X509 identity is valid for one year.

Installing your X509 identity

On Windows, you can simply double-click on the file. Once you have entered the password you choose above, you can click on Next at every step. The X509 identity will be automatically installed in your Personal certificates. Once installed, your X509 identity will be available for any web browser you use.

On Linux, you need to install your X509 identity in your web browser. Open the Settings for your browser and search for Certificates. Then import the file in Your Certificates. You will need to repeat the same operation with all the web browsers that you are using.

You can use your X509 identity on more than one system.

Note: If you do not delete your X509 identity file right after installing it, remember to protect it against theft.

Using your X509 identity

On the CSIM access gateway page, simply click on the X509 button.

When you use the X509 identity for the first time, your browser will ask you to choose which identity to use; for example with Firefox:

Create your X509 identity manually

Creating your X509 identity manually require many steps, but you keep a full control on the process. You also retain the full rights on your private key.

There are many ways to create your X509 identity; the method below works on most of the Unix systems (alternatively you can run the commands below inside an MS-DOS windows on a Microsoft system, after you have installed OpenSSL for Windows from Shining Light Productions, available locally from \\banyan\application\WINAPPS\OpenSSL\Win64OpenSSL-3_1_1.exe):

  1. Generate a my.key that contains your RSA public/private key:
      openssl genrsa -des3 -out my.key 2048  
    It will ask you to enter a password for your secret key. You will have to type the password twice.
    Make very sure to store the file my.key in a safe place.
  2. For security, change the mode of the file my.key, so that only you can read it:
      chmod 400 my.key  
  3. Generate a certificate request:
      openssl req -new -sha256 -key my.key -out my.csr  
    And answer the questions:
      
    You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank.
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TH
State or Province Name (full name) [Some-State]:Pathumthani
Locality Name (eg, city) []:Klong Luang
Organization Name (eg, company) [Internet Widgits Pty Ltd]:AIT
Organizational Unit Name (eg, section) []:CSIM
Common Name (eg, YOUR name) []:Olivier Nicole
Email Address []:on@cs.ait.ac.th
    
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
    		  
    Use your full name and email address at CSIM.
  4. Send the file my.csr to This email address is being protected from spambots. You need JavaScript enabled to view it. (This email address is being protected from spambots. You need JavaScript enabled to view it.), for certification. I must be able to verify your identity, use CSIM or AIT email to send the file. If I cannot asses your identify, I will not issue the certificate.
    Note: the file my.csr is a plain text file, you can copy/paste it to your mail, no need to attach it.
  5. Within a couple of days, I will send you a reply that contains your X509 certificate file. Save it under the name my.crt.
  6. Your certificate is generated by CSIM, using CSIM Certification Authority file. You need to download this file before you proceed to the next step; save it under the name cs.ait.ac.th.ca.
  7. Generate a PKCS12 file for X509 identity:
      
    openssl pkcs12 -export -inkey my.key -in my.crt -certfile cs.ait.ac.th.ca -out my.p12 -name "Olivier Nicole"
    		  
    Use your full name.
    Note: the "quotes" around the name.
    It will ask you for you password for the secret key (as in 1) and to choose and enter a PKSC12 password. The PKSC12 password can be different from the passowrd for the secret key.
  8. Change the mode of the file my.p12 for safety; the file my.p12 contains a copy of your private key, keep it as secured as your private key:
      
    chmod 400 my.p12
    		  
  9. Install your X509 identity as described above.

Powered by: ZeroShell OpenSSL
Details
Category: Uncategorised

Based upon DNS graph by Nathan Campi

In his scripts for graphing DNS activity, Nathan is proposing a workaround for Bind 9.The need for a workaround arises because with Bind 8 the statistics kept by named used to include the number of queries received by the server for each type of query, it was easy to retreive the data from the statistics of named to draw the graph; whileBind 9 do not collect such data anymore, they should be collected by logging all the queries and calculating statistics.

Nathan proposes to log the queries to stderr and run named though a shell script; the script will read from stderr.

I don't like that solution because:

  • named is not started in the regular fashion, that could cause incompatibilities when system is upgraded (many system upgrade cause named upgrade);
  • named would fail in case the sheel script fails;

While at same time, named knows how to log the queries to a separate file and it includes builtin a mechanism to rotate the file when it reaches a certain size a Perl module like File::Tail knows how to read from a file that get rotated like syslog files or this named quey log file.

The solution I propose decribed bellow.

Log the queries to a file

Configure Bind 9 to log all the queries to a file. In the example bellow, the file is called query-log, it rotates everytime the file grows over 1 MB and named keeps up to three backup versions of the file.

 

logging {
        channel query-log {
                          file "query-log" versions 3 size 1m;
        };
        category queries {
                         query-log;
                         };
        ... rest of named logging configuration
};
options {
        querylog yes;
        ... rest of named options

  
Example of named.conf configuration file for Bind 9

There will be up to four files created in named default directory, query-logquery-log.0query-log.1 and query-log.2. The file that contains the most recent queries is query-log.

Examine the log file and collect statistics

The following Perl script uses the module File::Tail to read the file event when it rotates, it computes the number of queries by type.

The script saves its own PID in the file $pidfile. Upon receiving a hang-up signal, it writes the statistics in the file $dumpfile. The $log_wait_interval is used by File::Tail to set the tick clock when the Perl script should become active and try to read new entries in the log file.

This script should loop indefinitely, it should be launch at boot time (use your prefered method to launch that script).

  #!/usr/local/bin/perl
$logfile = "/var/chroot/named/etc/named/query-log"; # where to read the queries
$dumpfile="/var/run/bind9_stats_count.dump"; # where to write the statistics
$pidfile="/var/run/bind9_stats_count.pid"; # where to write the PID
$log_wait_interval=1; # tick clock for reading the query log file

use File::Tail;

$SIG{'HUP'}='dump';
open OUT, ">$pidfile";
print OUT $$;
close OUT;
@query_list=("A", "PTR", "ANY", "MX", "NS", "CNAME", "SOA", "SRV", "AAAA");


sub init{
    foreach $i (@query_list) {
        $query{$i}=0;
    }
}

sub dump {
    # dump the statistics when receiving a HUP signal
    my $total=0;
    open OUT, ">$dumpfile";
    flock OUT, 2;
    foreach $i (@query_list) {
        print OUT "$query{$i} ";
        $total+=$query{$i};
    }

    print OUT "$total\n";
    flock OUT, 8;
    close OUT;
    init();
}

sub getlogline {
    # The first time we're called; open the logfile, skip to the end,
    # and remember the inode we opened.
    if (!defined($lffd)) {
        $lffd = File::Tail->new(name=>$logfile, maxinterval=>5,
        interval=>$log_wait_interval);
        if (!defined($lffd)) {
            die "Can't open $logfile\n";
        }
    }
    return $lffd->read;
}

init();
while ($line=getlogline) {
    # regexpr to read a query from the log file
    next unless $line=~
        /^client\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\#\d+:\s+query:\s+.*\s+IN\s+([A-Z]+)\s+/;
    $query{$1}++;
}
  
The script count_stat should be started at boot time

The display-bindstats.pl script

It corresponds to the script use for Bind 8 on Nathan's page. But to collect the statistics, it only has to send an hang-up signal to the script above and read the data from the file as designed in $dumpfile.

#!/bin/sh
kill -1 `/bin/cat /var/run/bind9_stats_count.pid`
/bin/sleep 2
/bin/cat /var/run/bind9_stats_count.dump
The script /usr/local/sbin/display-bindstats.pl

This script is called by SNMP in the exact way defined on Nathan's page for Bind 8.

Integration with SMF under Solaris

The following modification has been suggested to me by Robert Jansen from Brussels University:

  To have this e.g. integrated under SMF under Solaris, one can define the
start method in the xml. manifest as follows:

snip....
<exec_method
        type='method'
        name='start'
        exec='/usr/local/packages/bindstats/count_stat &'

.....

snip......

but,... the "count_stat" script returns a value where the Solaris SMF
facility isn't to happy about,... namely "256" and thinks the script is
"offline".

By adding "return 0;" at the end of your script, Solaris's SMF will think
this service is online.
It's a workaround.

snip.....

init();
while ($line=getlogline) {
    # regexpr to read a query from the log file
    next unless $line=~
        /^client\s+\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\#\d+:\s+query:\s+.*\s+IN\s+([A-Z]+)\s+/;
    $query{}++;
}
return 0;		  
Integration in SMF under Solaris
Details
Category: Uncategorised

Based upon DNS graph by Nathan Campi; graphics by 

Statistics for the dayweek or month.

Statistics for the system, processing, spam/virus, clients.

  1. Monthly statistics for mail.cs.ait.ac.th
  2. Weekly statistics for mail.cs.ait.ac.th
  3. Daily statistics for mail.cs.ait.ac.th
  4. Printer page count