read many more report on SSL。 does it mean currently the mesos can't support ssl interconn?
2015-09-17 18:55 GMT+08:00 Carlos Sanchez <[email protected]>: > I got back to SSL and made some progress, SSL is enabled now (I think > I needed to export the variables in /etc/default/mesos) > but I got 2 new problems (described in more detail in > https://gist.github.com/carlossg/64c9f8050d637f51c77c ) > > #1 slaves can't connect to master over SSL, master refuses connection > with: Error (26): unsupported certificate purpose > > but slave cert has what I believe are correct certificate purposes, are > they ? > > openssl x509 -in /etc/mesos/tiger.crt -noout -purpose > Certificate purposes: > SSL client : Yes > SSL client CA : No > SSL server : Yes > SSL server CA : No > Netscape SSL server : Yes > Netscape SSL server CA : No > S/MIME signing : No > S/MIME signing CA : No > S/MIME encryption : No > S/MIME encryption CA : No > CRL signing : No > CRL signing CA : No > Any Purpose : Yes > Any Purpose CA : Yes > OCSP helper : Yes > OCSP helper CA : No > Time Stamp signing : No > Time Stamp signing CA : No > > #2 can't connect to master if cert validation is enabled with > SSL_VALIDATE_CERT=true or SSL_REQUIRE_CERT=true > Tried enabling all protocols and no luck, also set the hostname > correctly to ensure ssl works fine (is name matching actually required > for the mesos slaves?) > If SSL_VALIDATE_CERT=false and SSL_REQUIRE_CERT=false and I don't > provide cert in the curl call it connects fine, so server certificate > seems to be correct > > Master running with > /usr/sbin/mesos-master --zk=zk://zk:[email protected]:2181/mesos > --port=5050 --log_dir=/var/log/mesos --authenticate=true > --authenticate_slaves=true --credentials=/etc/mesos/credentials > --hostname=tiger-jdoe-controller-1.tiger.acme.net --quorum=1 > --work_dir=/var/lib/mesos > > Tried with curl > > curl -v --cacert /etc/mesos/rootCA.pem --key > /home/ubuntu/tiger-client.key.pem --cert > /home/ubuntu/tiger-client.cert.pem > https://tiger-jdoe-controller-1.tiger.acme.net:5050/master/state.json > > > ubuntu 14.04.3 curl 7.35.0 > > * Hostname was NOT found in DNS cache > * Trying 127.0.0.1... > * Connected to tiger-jdoe-controller-1.tiger.acme.net (127.0.0.1) port > 5050 (#0) > * successfully set certificate verify locations: > * CAfile: /etc/mesos/rootCA.pem > CApath: /etc/ssl/certs > * SSLv3, TLS handshake, Client hello (1): > * SSLv3, TLS handshake, Server hello (2): > * SSLv3, TLS handshake, CERT (11): > * SSLv3, TLS handshake, Request CERT (13): > * SSLv3, TLS handshake, Server finished (14): > * SSLv3, TLS handshake, CERT (11): > * SSLv3, TLS handshake, Client key exchange (16): > * SSLv3, TLS handshake, CERT verify (15): > * SSLv3, TLS change cipher, Client hello (1): > * SSLv3, TLS handshake, Finished (20): > * SSLv3, TLS change cipher, Client hello (1): > * SSLv3, TLS handshake, Finished (20): > * SSL connection using AES128-SHA > * Server certificate: > * subject: C=US; O=acme; OU=Tiger; CN= > tiger-jdoe-controller-1.tiger.acme.net > * start date: 2015-09-16 18:28:30 GMT > * expire date: 2025-09-13 18:28:30 GMT > * common name: tiger-jdoe-controller-1.tiger.acme.net (matched) > * issuer: C=US; ST=CA; O=acme; OU=Tiger > * SSL certificate verify ok. > > GET /master/state.json HTTP/1.1 > > User-Agent: curl/7.35.0 > > Host: tiger-jdoe-controller-1.tiger.acme.net:5050 > > Accept: */* > > > * Empty reply from server > * Connection #0 to host tiger-jdoe-controller-1.tiger.acme.net left intact > curl: (52) Empty reply from server > > > Seems there is an issue with curl debug log in older curl versions so > I tried with newer ones > > ubuntu:wily curl 7.43.0 ends in a similar way > > * Connected to tiger-jdoe-controller-1.tiger.acme.net (127.0.0.1) port > 5050 (#0) > * found 1 certificates in /etc/mesos/rootCA.pem > * found 748 certificates in /etc/ssl/certs > * ALPN, offering http/1.1 > * SSL connection using TLS1.2 / RSA_AES_128_CBC_SHA1 > * server certificate verification OK > * server certificate status verification SKIPPED > * common name: tiger-jdoe-controller-1.tiger.acme.net (matched) > * server certificate expiration date OK > * server certificate activation date OK > * certificate public key: RSA > * certificate version: #3 > * subject: C=US,O=acme,OU=Tiger,CN= > tiger-jdoe-controller-1.tiger.acme.net > * start date: Wed, 16 Sep 2015 18:28:30 GMT > * expire date: Sat, 13 Sep 2025 18:28:30 GMT > * issuer: C=US,ST=CA,O=acme,OU=Tiger > * compression: NULL > * ALPN, server did not agree to a protocol > > GET /master/state.json HTTP/1.1 > > Host: tiger-jdoe-controller-1.tiger.acme.net:5050 > > User-Agent: curl/7.43.0 > > Accept: */* > > > * GnuTLS recv error (-110): The TLS connection was non-properly terminated. > * Closing connection 0 > curl: (56) GnuTLS recv error (-110): The TLS connection was > non-properly terminated. > > curl 7.42.1 from appropriate/curl same thing > > * Empty reply from server > * Connection #0 to host tiger-jdoe-controller-1.tiger.acme.net left intact > curl: (52) Empty reply from server > > The detailed logs are at > https://gist.github.com/carlossg/64c9f8050d637f51c77c > > Thanks in advance > > On Wed, Aug 26, 2015 at 3:25 AM, Joris Van Remoortere > <[email protected]> wrote: > > @Carlos > > Mesosphere currently doesn't build packages with ssl enabled. > > > > On Tue, Aug 25, 2015 at 3:12 PM, Carlos Sanchez <[email protected]> > wrote: > >> > >> Hi Joris, > >> > >> I did build from sources, following instructions in > >> http://mesos.apache.org/gettingstarted/ > >> > >> Is the mesosphere binary compiled with libevent and ssl enabled as > >> mentioned previously? would make debugging easier if I don't have to > rebuild > >> > >> > >> > >> On Tue, Aug 25, 2015 at 8:52 PM, Joris Van Remoortere > >> <[email protected]> wrote: > >>> > >>> @carlos > >>> Are you building 0.23.0 from source? > >>> Just so we don't miss anything: Can you make sure to run ./bootstrap, > and > >>> build in a clean directory with your configuration similar to this: > >>> > >>> ../configure --enable-libevent --enable-ssl > >>> > >>> Here is the document I am using as a reference > >>> > >>> When you start up a master, if you just specify SSL_ENABLED=true it > >>> should error out and notify you that other required flags such as > >>> SSL_KEY_FILE are not provided. Can you verify this? If that is not > >>> happening, then the 2 options are: > >>> 1. Your environment variables are not making it to the binary: See Jeff > >>> Schroeder's comments > >>> 2. The binary is not actually the one you expect. Double check the > >>> checksum with the binary you built after configuring with SSL. > >>> > >>> > >>> > >>> On Fri, Aug 14, 2015 at 12:55 PM, Carlos Sanchez <[email protected]> > >>> wrote: > >>>> > >>>> looking forward to it, thanks! > >>>> running out of ideas here on what am I doing wrong > >>>> > >>>> On Fri, Aug 14, 2015 at 6:53 PM, Marco Massenzio <[email protected] > > > >>>> wrote: > >>>> > FYI - Joris is out this week, he'll be probably able to get back to > >>>> > you > >>>> > early next (modulo MesosCon craziness :) > >>>> > > >>>> > Marco Massenzio > >>>> > Distributed Systems Engineer > >>>> > > >>>> > On Fri, Aug 14, 2015 at 9:14 AM, Carlos Sanchez <[email protected]> > >>>> > wrote: > >>>> >> > >>>> >> no suggestions? > >>>> >> > >>>> >> On Tue, Aug 11, 2015 at 6:47 PM, Vinod Kone <[email protected]> > >>>> >> wrote: > >>>> >> > @joris, can you help out here? > >>>> >> > > >>>> >> > On Tue, Aug 11, 2015 at 9:43 AM, Carlos Sanchez < > [email protected]> > >>>> >> > wrote: > >>>> >> >> > >>>> >> >> I have tried to enable SSL with no success, even compiling from > >>>> >> >> source > >>>> >> >> with the ssl flags --enable-libevent --enable-ssl > >>>> >> >> > >>>> >> >> export SSL_ENABLED=true > >>>> >> >> export SSL_SUPPORT_DOWNGRADE=false > >>>> >> >> export SSL_REQUIRE_CERT=true > >>>> >> >> export SSL_CERT_FILE=/etc/mesos/... > >>>> >> >> export SSL_KEY_FILE=/etc/mesos/... > >>>> >> >> export SSL_CA_FILE=/etc/mesos/... > >>>> >> >> > >>>> >> >> > >>>> >> >> > /home/ubuntu/mesos-deb-packaging/mesos-repo/build/src/mesos-master > >>>> >> >> --work_dir="/var/lib/mesos" > >>>> >> >> > >>>> >> >> Port 5050 is still served as plain http, no SSL > >>>> >> >> > >>>> >> >> Nothing about ssl shows up in the logs, any ideas? > >>>> >> >> > >>>> >> >> Thanks > >>>> >> >> > >>>> >> >> > >>>> >> >> > > >>>> >> >> > From: Dharmit Shah <[email protected]> > >>>> >> >> > To: [email protected] > >>>> >> >> > Cc: > >>>> >> >> > Date: Mon, 10 Aug 2015 14:13:04 +0530 > >>>> >> >> > Subject: Re: SSL in Mesos 0.23 > >>>> >> >> > Hi Jeff, > >>>> >> >> > > >>>> >> >> > Thanks for the suggestion. > >>>> >> >> > > >>>> >> >> > I modified the systemd service file to use > >>>> >> >> > `/etc/sysconfig/mesos-master` and `/etc/sysconfig/mesos-slave` > >>>> >> >> > as > >>>> >> >> > environment files for master and slave services respectively. > In > >>>> >> >> > these > >>>> >> >> > files, I specified the environment variables that I used to > >>>> >> >> > specify > >>>> >> >> > on > >>>> >> >> > the command line. > >>>> >> >> > > >>>> >> >> > Now if I check `strings /proc/<pid>/environ | grep SSL` for > pids > >>>> >> >> > of > >>>> >> >> > master and slave services, I see the environment variables > that > >>>> >> >> > I set > >>>> >> >> > in the /etc/sysconfig/<environment-file>. > >>>> >> >> > > >>>> >> >> > Now that it looks like I have started the master and slave > >>>> >> >> > services > >>>> >> >> > with SSL enabled, how do I really confirm that communication > >>>> >> >> > between > >>>> >> >> > master and slaves is really happening over SSL? > >>>> >> >> > > >>>> >> >> > Also, how do I enable SSL communication for a framework like > >>>> >> >> > Marathon? > >>>> >> >> > > >>>> >> >> > Regards, > >>>> >> >> > Dharmit. > >>>> >> >> > > >>>> >> >> > On Fri, Aug 7, 2015 at 10:56 PM, Jeff Schroeder > >>>> >> >> > <[email protected]> wrote: > >>>> >> >> > > The sudo command defaults to envreset (look for that in the > >>>> >> >> > > man > >>>> >> >> > > page) > >>>> >> >> > > which > >>>> >> >> > > strips all env variables sans a select few. I'd almost bet > >>>> >> >> > > that > >>>> >> >> > > your > >>>> >> >> > > SSL_* > >>>> >> >> > > variables are not present and were not passed to the slave. > >>>> >> >> > > Just > >>>> >> >> > > sudo > >>>> >> >> > > -i and > >>>> >> >> > > start the slaves *as root* without sudo. There is no benefit > >>>> >> >> > > to > >>>> >> >> > > starting > >>>> >> >> > > them with sudo. You can verify what I'm saying with > something > >>>> >> >> > > along > >>>> >> >> > > the > >>>> >> >> > > lines of: > >>>> >> >> > > > >>>> >> >> > > strings /proc/$(pidof mesos-slave)/environ | grep ^SSL_ > >>>> >> >> > > > >>>> >> >> > > > >>>> >> >> > > On Friday, August 7, 2015, Dharmit Shah > >>>> >> >> > > <[email protected]> > >>>> >> >> > > wrote: > >>>> >> >> > >> > >>>> >> >> > >> Hello again, > >>>> >> >> > >> > >>>> >> >> > >> Thanks for your responses. I will share what I tried after > >>>> >> >> > >> your > >>>> >> >> > >> suggestions. > >>>> >> >> > >> > >>>> >> >> > >> 1. `ldd /usr/sbin/mesos-master` and `ldd > >>>> >> >> > >> /usr/sbin/mesos-slave` > >>>> >> >> > >> returned similar output as one suggested by Craig. So, I > >>>> >> >> > >> guess, > >>>> >> >> > >> the > >>>> >> >> > >> Mesosphere repo binaries have SSL enabled. Right? > >>>> >> >> > >> > >>>> >> >> > >> 2. I created SSL private key and cert on one system in my > >>>> >> >> > >> cluster > >>>> >> >> > >> by > >>>> >> >> > >> referring this guide on DO [1]. Admittedly, my knowledge of > >>>> >> >> > >> SSL is > >>>> >> >> > >> limited. > >>>> >> >> > >> > >>>> >> >> > >> 3. Next, I copied the key and cert to all three > mesos-master > >>>> >> >> > >> nodes > >>>> >> >> > >> and > >>>> >> >> > >> four mesos-slave nodes. Shouldn't slave nodes be provided > >>>> >> >> > >> only > >>>> >> >> > >> with > >>>> >> >> > >> the cert and not the private key? Whereas all master nodes > >>>> >> >> > >> may > >>>> >> >> > >> have > >>>> >> >> > >> the private key and cert both. Or am I understanding SSL > >>>> >> >> > >> incorrectly > >>>> >> >> > >> here? > >>>> >> >> > >> > >>>> >> >> > >> 4. After copying the cert and key, I started the > mesos-master > >>>> >> >> > >> service > >>>> >> >> > >> on master nodes with below command: > >>>> >> >> > >> > >>>> >> >> > >> $ sudo SSL_ENABLED=true SSL_KEY_FILE=~/ssl/mesos.key > >>>> >> >> > >> SSL_CERT_FILE=~/ssl/mesos.crt /usr/sbin/mesos-master > >>>> >> >> > >> > >>>> >> >> > >> > >>>> >> >> > >> > >>>> >> >> > >> --zk=zk://172.19.10.111:2181,172.19.10.112:2181, > 172.19.10.193:2181/mesos > >>>> >> >> > >> --port=5050 --log_dir=/var/log/mesos > >>>> >> >> > >> --acls=file:///root/acls.json > >>>> >> >> > >> --credentials=/home/isys/mesos --quorum=2 > >>>> >> >> > >> --work_dir=/var/lib/mesos > >>>> >> >> > >> > >>>> >> >> > >> I check web UI and things look good. I am not completely > sure > >>>> >> >> > >> if > >>>> >> >> > >> "https" should have worked for mesos web UI but, it didn't. > >>>> >> >> > >> > >>>> >> >> > >> 5. Next, I start slave nodes with below command: > >>>> >> >> > >> > >>>> >> >> > >> $ sudo SSL_ENABLED=true SSL_CERT_FILE=~/mesos.crt > >>>> >> >> > >> SSL_KEY_FILE=~/mesos.key /usr/sbin/mesos-slave > >>>> >> >> > >> > >>>> >> >> > >> > >>>> >> >> > >> > >>>> >> >> > >> > >>>> >> >> > >> --master=zk://172.19.10.111:2181,172.19.10.112:2181, > 172.19.10.193:2181/mesos > >>>> >> >> > >> --log_dir=/var/log/mesos --containerizers=docker,mesos > >>>> >> >> > >> --executor_registration_timeout=15mins > >>>> >> >> > >> > >>>> >> >> > >> Mesos web UI reported four mesos-slave nodes in "Activated" > >>>> >> >> > >> mode. > >>>> >> >> > >> So > >>>> >> >> > >> far so good. I am still wondering how I should verify if > >>>> >> >> > >> communication > >>>> >> >> > >> is happening over SSL. > >>>> >> >> > >> > >>>> >> >> > >> 6. To check if SSL is indeed working, I stopped one slave > >>>> >> >> > >> node and > >>>> >> >> > >> started it without SSL using `systemctl start > mesos-slave`. I > >>>> >> >> > >> was > >>>> >> >> > >> expecting it to not get into "Activated" state on Mesos web > >>>> >> >> > >> UI but > >>>> >> >> > >> it > >>>> >> >> > >> did. So, I think SSL is not configured properly by me. > >>>> >> >> > >> > >>>> >> >> > >> I am attaching logs from the master nodes. These logs were > >>>> >> >> > >> generated > >>>> >> >> > >> after starting masters with command specified in point 4. > >>>> >> >> > >> > >>>> >> >> > >> Let me know if I am doing something wrong or if you need > more > >>>> >> >> > >> logs > >>>> >> >> > >> or > >>>> >> >> > >> need me to execute some specific commands. > >>>> >> >> > >> > >>>> >> >> > >> [1] > >>>> >> >> > >> > >>>> >> >> > >> > >>>> >> >> > >> > >>>> >> >> > >> > https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs > >>>> >> >> > >> > >>>> >> >> > >> Regards, > >>>> >> >> > >> Dharmit. > >>>> >> >> > >> > >>>> >> >> > >> On Fri, Aug 7, 2015 at 2:52 AM, Michael Park > >>>> >> >> > >> <[email protected]> > >>>> >> >> > >> wrote: > >>>> >> >> > >> > Hi Dharmit, > >>>> >> >> > >> > > >>>> >> >> > >> > I'm not certain whether the Mesosphere deb packages have > >>>> >> >> > >> > SSL > >>>> >> >> > >> > enabled or > >>>> >> >> > >> > not, > >>>> >> >> > >> > although based on Craig's observation it looks like it > is. > >>>> >> >> > >> > > >>>> >> >> > >> > I think the correct way to enable SSL is to set the > >>>> >> >> > >> > SSL_ENABLED > >>>> >> >> > >> > environment > >>>> >> >> > >> > variable, rather than /etc/mesos-master/ssl_enabled. Of > >>>> >> >> > >> > course, > >>>> >> >> > >> > along > >>>> >> >> > >> > with > >>>> >> >> > >> > the rest of the SSL_ environment variables. > >>>> >> >> > >> > > >>>> >> >> > >> > e.g. SSL_ENABLED=true > >>>> >> >> > >> > SSL_KEY_FILE=<path-to-your-private-key> > >>>> >> >> > >> > SSL_CERT_FILE=<path-to-your-certificate> ./mesos-master > >>>> >> >> > >> > <master-flags> > >>>> >> >> > >> > > >>>> >> >> > >> > MPark. > >>>> >> >> > >> > > >>>> >> >> > >> > On Thu, Aug 6, 2015 at 9:30 AM craig w > >>>> >> >> > >> > <[email protected]> > >>>> >> >> > >> > wrote: > >>>> >> >> > >> >> > >>>> >> >> > >> >> I've run ldd on /usr/sbin/mesos-master (on CentOS 7 > using > >>>> >> >> > >> >> mesos > >>>> >> >> > >> >> 0.23 > >>>> >> >> > >> >> from > >>>> >> >> > >> >> mesosphere repo) and I see "libssl.3.so" and > >>>> >> >> > >> >> "libssl.so.10" > >>>> >> >> > >> >> > >>>> >> >> > >> >> On Thu, Aug 6, 2015 at 12:20 PM, Jeff Schroeder > >>>> >> >> > >> >> <[email protected]> wrote: > >>>> >> >> > >> >>> > >>>> >> >> > >> >>> Can you run ldd on the mesos-master or mesos-slave > >>>> >> >> > >> >>> binaries? I > >>>> >> >> > >> >>> believe > >>>> >> >> > >> >>> you *should* see openssl libraries in the output if > those > >>>> >> >> > >> >>> packages are > >>>> >> >> > >> >>> configured using --enable-ssl. > >>>> >> >> > >> >>> > >>>> >> >> > >> >>> On Thu, Aug 6, 2015 at 9:46 AM, Dharmit Shah > >>>> >> >> > >> >>> <[email protected]> > >>>> >> >> > >> >>> wrote: > >>>> >> >> > >> >>>> > >>>> >> >> > >> >>>> Hello, > >>>> >> >> > >> >>>> > >>>> >> >> > >> >>>> I followed Mesos cluster setup guide on the Mesosphere > >>>> >> >> > >> >>>> website > >>>> >> >> > >> >>>> [1]. I > >>>> >> >> > >> >>>> set it up on a CentOS 7 system. For installation of > >>>> >> >> > >> >>>> packages, > >>>> >> >> > >> >>>> I > >>>> >> >> > >> >>>> went > >>>> >> >> > >> >>>> with Mesosphere provided repositories. > >>>> >> >> > >> >>>> > >>>> >> >> > >> >>>> Now that Mesos 0.23 has been released with SSL > >>>> >> >> > >> >>>> capabilities, > >>>> >> >> > >> >>>> I > >>>> >> >> > >> >>>> believe > >>>> >> >> > >> >>>> it is possible to have communication between the > master, > >>>> >> >> > >> >>>> slaves > >>>> >> >> > >> >>>> and > >>>> >> >> > >> >>>> frameworks be secured by SSL. Am I right? > >>>> >> >> > >> >>>> > >>>> >> >> > >> >>>> I would like to set it up in my environment. I am > using > >>>> >> >> > >> >>>> `mesos-0.23.0-1.0.centos701406.x86_64`. > >>>> >> >> > >> >>>> > >>>> >> >> > >> >>>> The official Mesos documentation on the topic [2] > >>>> >> >> > >> >>>> illustrates > >>>> >> >> > >> >>>> how > >>>> >> >> > >> >>>> things can be setup when building Mesos from source. > >>>> >> >> > >> >>>> > >>>> >> >> > >> >>>> I would like to know if Mesos package shipped by > >>>> >> >> > >> >>>> Mesosphere > >>>> >> >> > >> >>>> repo > >>>> >> >> > >> >>>> has > >>>> >> >> > >> >>>> this feature or not yet? I tried setting > >>>> >> >> > >> >>>> `/etc/mesos-master/ssl_enabled` on one of the master > >>>> >> >> > >> >>>> nodes. > >>>> >> >> > >> >>>> But > >>>> >> >> > >> >>>> restarting `mesos-master` service failed stating that > >>>> >> >> > >> >>>> option > >>>> >> >> > >> >>>> `ssl_enabled` is unknown. > >>>> >> >> > >> >>>> > >>>> >> >> > >> >>>> Thanks for your help! > >>>> >> >> > >> >>>> > >>>> >> >> > >> >>>> [1] > >>>> >> >> > >> >>>> > >>>> >> >> > >> >>>> > >>>> >> >> > >> >>>> > http://open.mesosphere.com/getting-started/datacenter/install/ > >>>> >> >> > >> >>>> [2] > >>>> >> >> > >> >>>> > http://mesos.apache.org/documentation/latest/mesos-ssl/ > >>>> >> >> > >> >>>> > >>>> >> >> > >> >>>> Regards, > >>>> >> >> > >> >>>> Dharmit. > >>>> >> >> > >> >>> > >>>> >> >> > >> >>> > >>>> >> >> > >> >>> > >>>> >> >> > >> >>> > >>>> >> >> > >> >>> -- > >>>> >> >> > >> >>> Jeff Schroeder > >>>> >> >> > >> >>> > >>>> >> >> > >> >>> Don't drink and derive, alcohol and analysis don't mix. > >>>> >> >> > >> >>> http://www.digitalprognosis.com > >>>> >> >> > >> >> > >>>> >> >> > >> >> > >>>> >> >> > >> >> > >>>> >> >> > >> >> > >>>> >> >> > >> >> -- > >>>> >> >> > >> >> > >>>> >> >> > >> >> https://github.com/mindscratch > >>>> >> >> > >> >> https://www.google.com/+CraigWickesser > >>>> >> >> > >> >> https://twitter.com/mind_scratch > >>>> >> >> > >> >> https://twitter.com/craig_links > >>>> >> >> > > > >>>> >> >> > > > >>>> >> >> > > > >>>> >> >> > > -- > >>>> >> >> > > Text by Jeff, typos by iPhone > >>>> >> >> > > >>>> >> >> > > >>>> >> > > >>>> >> > > >>>> > > >>>> > > >>> > >>> > >> > > > -- Deshi Xiao Twitter: xds2000 E-mail: xiaods(AT)gmail.com
