Stuff I'm Up To

Technical Ramblings

Google Home and Kodi — November 29, 2017

Google Home and Kodi

I thought I’d take the opportunity to add a Google Home to my gadget collection. After all it’s on a £50 off same this week, so comes in at £79 delivered.

What I really want from it above all is to control my Kodi setup. Being able to voice control what movie or TV show to play would make the wife’s life a lot easier – and when she’s happy, I’m happy.

This is where I came across the GoogleHomeKodi project on GitHub and referenced on the Kodi forum here.

Continue reading

Advertisements
VMware Remote Console for Linux — November 22, 2017

VMware Remote Console for Linux

This has frustrated me for as long as I can remember. How do I manage our VMware vSphere estate when the tools provided don’t work reliably on Linux?

First there was the vCenter problem using Flash Player. Thank fully they release v6.5 which has a new HTML5 based interface – no more Flash Player!

https://vcsa/ui

Then inside there you could download the VMware Remote Console (VMRC) and isntall that to allow you to remote onto the actual vSphere guest and not rely on other Guest remote tools like RDS or VNC.

Only trouble with VMRC is that it would not install on my Debian system. I upgraded to the Debian Buster/Sid (testing) version and still can’t get it to work.

Then I couldn’t uninstall it either!

The uninstall complains that there is an unmet dependency for vmware-usbabitrator<=17.1.1. Try as I might I couldn’t get that to install either. I ran the installer bundle with a -x [path] to extract it then manually tried to get the vmware-usbarbitrator to run. Then gave up.

Time to resort to using VMware Workstation Player! Yes, the player can open vmrc:// links. But I couldn’t get it to install because it too complained about vmware-usbarbitrator. So I had to revisit removing VMRC.

To get the removal to work I used DB Explorer for SQLite and opened the /etc/vmware-installer/database file. Then deleted the row from the table component_dependencies that contained vmware-usbarbitrator>=17.1.1

Selection_005

Then I could remove VMRC using:

$ sudo vmware-installer -u vmware-vmrc

This did the trick and it got rid of VMRC. A vmware-installer -l still showed VIX so I removed that too.

$ sudo vmware-installer -u vmware-vix

Now my WMware Workstation Player bundle installed successfully. So I ran it from the menu. I left the license empty at this point and continued to accept the dialogs required to get to the main VMware Player app.

Now it’s just a case of going back to my vCenter Server Appliance (https://vcsa/ui) management interface and clicking on a Guests “Launch Remote Console” link. It fires up VMware Player and asks for credentials for the vcsa and up pops the guest remote screen!

 

PaperCut Certificate — November 21, 2017

PaperCut Certificate

Time to replace the PaperCut web server certificate. So pleased I ran into Keystore Explorer previously as this made changing the web server certificate a breeze.

Put simply you create a new keystore file, in the Program Files\PaperCut MF\server\custom folder, and import your certificate that you obtain from your internal CA. We did this using MMC and the Certificate snap-in on the print server. Then export the certificate with private key to a .pfx file. Then just import the .pfx into the new keystore in Keystore Explorer.

Edit the server.properties file in Program Files\PaperCut MF\server and add the relevant keystore and password details.:

### SSL/HTTPS Configuration (Default: 9192) ###
server.ssl.port=9192

# Custom SSL keystore example (recommend placing in the custom directory)
server.ssl.keystore=custom/my-ssl-keystore
server.ssl.keystore-password=myPassword
server.ssl.key-password=myPassword

Restart the PaperCut services, give it a minute and the user and admin portal should now be using the new certificate.

https://printserver.domain.local:9192/admin

Now every printer that has an embedded PaperCut app will need to be updated to accept the new certificate. This means you have to visit each PaperCut admin console on every device – yes, that’s the painful bit if you have a lot of printers. Then you login to the console and click apply, even though you’ve made no change. This will then ask you to accept and trust the new certificate.

Selection_002

References

https://warlord0blog.wordpress.com/2017/11/14/java-keystore-management/

https://www.papercut.com/products/ng/manual/common/topics/tools-ssl-key-generation-certificate-authority-import-new.html

vSphere SSH failed to connect to host — November 17, 2017

vSphere SSH failed to connect to host

When trying to apply patches to one of our ESXi 6.0 hosts I found I couldn’t connect to it using ssh. Stopping and starting SSH from vCenter didn’t work. Neither did disabling/enabling from the DCUI.

From my client I’d see:

ssh_exchange_identification: Connection closed by remote host

So then I resorted to checking out the server from the console. First make sure I stopped SSH from either of the GUI’s.

Use ALT-F1 at the DCUI and logon to the host using your root account.

Then I tried to start sshd as a daemon using:

# /usr/lib/vmware/openssh/bin/sshd -D

Which reported errors Unsupported option running and Unsupported option PrintLastLog

So I editted my /etc/ssh/sshd_config file. Don’t know what caused it. But it was just a # missing from the first line. I guess I must have spannered it at some point when editing it to disable some ciphers. But the good news is using this method I can at least get some clear output from sshd -D to tell me why it wasn’t starting properly.

# running from inetd
# Port 2200
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

UsePrivilegeSeparation no

SyslogFacility auth
LogLevel info

PermitRootLogin yes

PrintMotd yes
PrintLastLog no

TCPKeepAlive yes

X11Forwarding no

...

So just to be safe I checked the other hosts and copied an sshd_config from one of the known good ones.

Monitor Security Flow — November 15, 2017

Monitor Security Flow

We stream the Juniper SRX logs out to our syslog server and that seems to work quite well. It is reliant upon us having the relevant log setting in the rules.

So for rules where we allow we can log the data at session-close

...
    then {
        permit;
        log {
            session-close;
        }
    }

But in our Deny All rules we log the session-init – because a denied session never gets closed (it’s never opened). So the session-init just logs the attempt.

...
    then {
        deny;
        log {
            session-init;
        }
    }

But what if we’re missing some rule logging, or are a bit unsure if packets coming in are actually coming in or not? That where monitor security flow comes in handy.

At the cli on the SRX you need to setup and activate the security flow, the filters to apply and the file to log to. In this example we’re going to capture packets from a specific ip address on a particular interface.

Create a named filter called ‘myfilter’ and then create a file to log into.

> monitor security flow filter interface reth0 source-prefix 192.168.56.10 myfilter
> monitor security flow file size 10240 securityflow.log

Then you can start and stop the monitor as you need. Then look at the content of the file.

> monitor security flow start
> monitor security flow stop
> show log securityflow.log

View the current status of your monitor

> show monitor security flow

Monitor security flow session status: Active
Monitor security flow trace file: /var/log/securityflow.log
Monitor security flow filters: 1
  Name: myfilter
    Status: Active
    Source: 192.168.56.10/32 (port 0~65535)
    Destination: 0.0.0.0/0 (port 0~65535)
    Logical system: root-logical-system
    Interface: reth0.0

Copy the log file to another system if you want to analyse it further

> file copy /var/log/securityflow.log scp://user@server.domain.local:~/

After stopping your monitor, you can then tidy up removing your file and filter using

> file delete /var/log/securityflow.log
> clear monitor security flow filter myfilter

 

Horizon View Client v4.6.0 —

Horizon View Client v4.6.0

I decided to upgrade my VMware Horizon View client today. It still has the same kind of issues as detailed here: https://warlord0blog.wordpress.com/2016/10/21/vmware-horizon-client-for-linux/

This time around my problems were with libgstreamer components. Even though I ensured they were installed the libraries were a different version that required by the client.

Specifically required:

  • libgstapp-0.10.so.0
  • libgstbase-0.10.so.0
  • libgstreamer-0.10.so.0

On my Debian Stretch install I had 1.0 versions.

So a quick fix by linking these made the scan issues go away.

$ cd /usr/lib/x86_64-linux-gnu
$ sudo ln -s libgstapp-1.0.so.0 libgstapp-0.10.so.0
$ sudo ln -s libgstbase-1.0.so.0 libgstbase-0.10.so.0
$ sudo ln -s libgstreamer-1.0.so.0 libgstreamer-0.10.so.0

Continue reading

Java Keystore Management — November 14, 2017

Java Keystore Management

keystore20explorer_256x256In the process of getting a new queue management system installed I discovered they’re using HTTP and not HTTPS. As part of out security process I had to recommend they change this to a HTTPS/SSL encrypted portal as it uses a logon process that would otherwise be in clear text.

The product is based on Wildfly and Java so they are progressing the deployment use Java keystores (JKS) and certificates. But as they pointed me to their installation guide I discovered they recommend the use of Keystore Explorer for managing the Java certificates.

So I downloaded it and have to say I’m impressed. It makes life so much easier when trying to manage certificates from Windows CA’s, OpenSSL and JKS. Definitely a valuable addition to my tool box. As it’s written in Java it’s available for Windows, Linux and fruit based systems.

Link: http://keystore-explorer.org/

Systemd and systemctl services — November 1, 2017

Systemd and systemctl services

I know it’st all that new, but not something I’ve spent much time working with. Previously using init.d to enable/disable systems services. Today I remove a program from my system and purged the config files. But it left behind a service in a failed condition. Of course it failed. I just removed all the files and config.

Using systemctl I could see my magicbox service still there and failed.

$ systemctl status magicbox.service                                   
● magicbox.service - Magic Box process
   Loaded: loaded (/usr/lib/systemd/system/magicbox.service; enabled; ven
   Active: failed (Result: exit-code) since Wed 2017-11-01 13:36:57 GMT; 1min 9s
  Process: 839 ExecStart=/opt/magicbox/embedded/bin/start (code=exited, s
 Main PID: 839 (code=exited, status=203/EXEC)

Thankfully the clue is in the output. It tells me where the .service file is on the Loaded: line. So to tidy up I followed part of the guidance I found here:

https://superuser.com/questions/513159/how-to-remove-systemd-services

$ sudo systemctl disable [servicename]
$ sudo rm /etc/systemd/system/[servicename]
$ sudo systemctl daemon-reload
$ sudo systemctl reset-failed

But bear in mind that the service I want isn’t located there. It’s under /usr/lib/systemd/system so I needed to remove that file instead.

References

https://manpages.debian.org/jessie/systemd/systemd.unit.5.en.html – See table 1

https://medium.com/@johannes_gehrs/getting-started-with-systemd-on-debian-jessie-e024758ca63d

JunOS static-nat and proxy-arp — October 31, 2017

JunOS static-nat and proxy-arp

I’m still relatively new to this JunOS, even though it’s been installed for several months now. Today’s problem was not passing traffic through a new static-nat that I’d setup. I checked the config for static-nats that already existed and couldn’t see the problem.

I needed to look at how the static-nat gets presented on the interface. It’s no good having a NAT rule if you don’t actively acknowledge that you are active on that IP address on an interface. No proxy-arp means nothing gets passed to NAT because the IP doesn’t exist on the network.

To do this make sure you add a proxy-arp address on the interface that you want to access the IP address.

eg.

set security proxy-arp interface reth1.99 address 192.168.99.99/32

Then you’ll have a related rule entry in your security nat static rule-set stanza to handle the translation.

eg.

show rule MyRule   
match {
    destination-address 192.168.99.99/32;
}
then {
    static-nat {
        prefix {
            192.168.0.99/32;
        }
    }
}

 

Git – Version Control — October 13, 2017

Git – Version Control

We have a distinct lack of version control in the relatively small development team that manages one of our business applications. One of the main challenges isn’t really related to the developers, but to the vendor that connects remotely and “fixes” things without leaving any clue as to what has been changed.

So I came up with a sneaky plan to deploy Git onto the servers and manage the versions of configuration files used by the application. I can then capture any changes and roll back as necessary.

Continue reading

Tomcat log4j Errors — October 12, 2017

Tomcat log4j Errors

As I’ve been spending a lot of time with Tomcat these days I’ve tried to clear out the stderr log of error messages. One of the frustrating warnings I had to deal with was this:

log4j:WARN Continuable parsing error 208 and column 23
log4j:WARN The content of element type "log4j:configuration" must match "(renderer*,throwableRenderer?,appender*,plugin*,(category|logger)*,root?,(categoryFactory|loggerFactory)?)".

The log4j.xml file parsed correctly and was obviously working as we were seeing log output. But this error had me baffled for a while. I checked the syntax of the xml file, ensured it was sound structurally and couldn’t for the life of me spot the problem.

Turns out the order of the elements in the file is important and must match the order of the string listed above. We’d got some logger elements after the root element. A move of the root element below the logger elements and the error message went away.

 

Fun with NTP — October 4, 2017

Fun with NTP

One of our Debian servers had a large time discrepancy. Turned out NTP wasn’t installed or working.

After I installed ntp I still wasn’t seeing a time update. Probably because I was more than 30 minutes adrift. So I had to force an ntp update.

Install ntp and set the servers in the .conf to match your ntp servers.

$ sudo apt-get install ntp
$ sudo vi /etc/ntp.conf

Then force a time update

$ sudo systemctl stop ntp.service
$ sudo ntpd -gq
$ sudo systemctl start ntp.service

The ntpd may take a while before dropping you back to the prompt.