Introducing my the MQTT server that I’ve been working on, FlashMQ. I’m starting with test version 0.5.0. It’s ready for some testing and benchmarks, and of course development will continue.
Category: Technology (Page 4 of 47)
Sometimes you want to mix users with and without a roaming profile. As found here, you can use Samba’s pdbedit to set the “Profile Path” to empty:
pdbedit -p= leo
Then view the results with:
pdbedit -L -v leo
I logged off the user, performed that change, renamed the directory on the server just in case, and then logged on again. It worked like a charm.
There are a few gotchas you have to be aware of when working with Icinga 2 dependencies and downtimes.
Gotcha 1a: Downtimes and dependencies are independent of each other
Intuitively, I had expected downtime to always traverse down the parent-child dependency tree. It doesn’t. It’s opt-in. The ScheduledDowntime.child_options attribute can be set to DowntimeTriggeredChildren or DowntimeNonTriggeredChildren to make it so. (These options are called “schedule triggered downtime for all child hosts” and “schedule non-triggered downtime for all child hosts”, respectively, in Icingaweb2.) With one of these options set, runtime downtime objects will also be created for (grand)child hosts (but not services; see Gotcha 1b).
Gotcha 1b: Downtimes never traverse to child hosts’ services
In Icingaweb2, when you’re scheduling downtime for a host and choose to also “schedule (non-)triggered downtime for all child hosts”, this excludes services on those child hosts. The “All Services” toggle applies only to the current host. There is an (open, as of May 5 2020) Icingaweb 2 feature request to address this. So far, the only attempt to implement the Icinga 2 side of this was shot down by the Icinga maintainers on the basis of making things too complex. @dnsmichi would prefer rethinking the current options.
If you want to make it easy to schedule downtime for dependency chain involving numerous hosts and/or services, I recommend using a single HostGroup and/or ServiceGroup to make it easy to Shift-select all dependent objects in Icingaweb2 and schedule the downtime in batch. In the worst case you than have to select all objects in each group separately to plan the bulk downtime twice. In some cases, just a HostGroup may do (because in Icingaweb2 you can include downtime for all of a hosts services), but this won’t be sufficient if you have services that depend directly on other services rather than hosts.
From the configuration, it’s not at all possible to include all of a host’s services in the ScheduledDowntime objects. But, here it’s not really an issue, because it’s enough to abstract your downtime particularities into a template and apply that to both the Host and the Service objects that are to be affected.
Gotcha 2a: Child hosts will (almost) never become UNREACHABLE when the parent host fails and Dependency.disable_checks == true
object Host "A" {
}
object Host "B" {
}
object Dependency "B-needs-A" {
parent_host_name = "A"
child_host_name = "B"
disable_notifications = true
disable_checks = true
}
In this example, when host A goes down, the B-needs-A dependency is activated and notifications about B are suppressed (because disable_notifications == True). However, because checks are also disabled, host B never becomes unreachable, unless if you manually/explicitly trigger a check via the Icingaweb2 interface.
The means that any service on the child host (B in this example) will still generate notifications, because the (default) host-service dependencies will not be activated until the child host becomes UNREACHABLE. (Of course, any other non-UP state of the child host would also activate the the host-service dependencies.) The same goes for grandchild hosts.
So, if you want a child host to become UNREACHABLE when the parent host fails, Dependency.disable_checks must be false. Only as soon as the check fails will the host become UNREACHABLE.
Gotcha 2b: Grandchild dependencies don’t become active until the child/parent in between them fails
Dependencies are always between a parent and a child. Icinga never traverses further along the tree to determine that a grandchild should be UNREACHABLE rather than DOWN.
Take the following setup:
object Host "A" {
}
object Host "B" {
}
object Host "C" {
}
object Dependency "B-needs-A" {
parent_host_name = "A"
child_host_name = "B"
disable_notifications = true
}
object Dependency "C-needs-B" {
parent_host_name = "B"
child_host_name = "C"
disable_notifications = true
}
If host A fails, host B doesn’t become UNREACHABLE until its check_command returns a not-OK status. The same goes for host B and C. And, despite disable_notifications = true, problems with host C will generate notifications as long as host B is Up. Therefore, to avoid needless notifications, you must always make sure that the hosts go down in the order of the dependency chain. You can do this by playing with check_interval, max_check_attempts, and retry_interval. And, make sure that disable_checks is always false for any intermediate host or service in the dependency chain!
I keep forgetting which package to install in Ubuntu to get the DTDs for html, to stop xsltproc from hanging forever. So, for posterity: w3c-sgml-lib. I think it was w3c-dtd-xhtml in Ubuntu 16 and older.
On March 18th, Synacor posted about a critical Zimbra security vulnerability (CVE 2019 9670), which was quick to be exploited in the wild, and subsequently evolved to be harder to erradicate.
I’ve always had a weariness of authentication implementations by hosted applications, so I decided to block the Zimbra web mail interface using iptables (firewall), and only allow access through a separately hosted HTTP proxy which requires authentication. This way, no stray requests to API endpoints accidentally left open will be allowed. That is, almost none: I had to add exceptions to allow webdav traffic for contact and calendar synchronization. If you don’t use that, the exceptions can be left out.
Below is an example Apache configuration. Apache requires several modules to be enabled, which is an exercise left to the reader. Also, a similar proxy is easily implemented in Nginx; I just happened to have a spare Apache server.
Note that it’s best to not make the proxy the default virtual host on the web server. This avoids it being seen by IP probes. If set up properly, there is no trace visible from the outside that you’re using this proxy, and if you make it such that access to it requires the actual domain name (like mywebmail.example.net), it’s very hard for bots to see it (especially if you make the domain name a bit more unguessable).
When you access the web mail page, first you have to authenticate using old style HTTP authentication:
Anyway, here’s the proxy config:
<VirtualHost *:80> RewriteEngine on RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [L,R] ServerName webmail.example.net </VirtualHost> <VirtualHost *:443> ServerName webmail.example.net ServerAdmin webmaster@localhost SSLEngine on SSLCertificateFile /etc/letsencrypt/live/webmail.example.net/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/webmail.example.net/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/webmail.example.net/chain.pem SSLProxyEngine On ProxyPass / https://mail.example.net/ ProxyPassReverse / https://mail.example.net/ # For Webdav/carddav/caldav <Location /dav> Satisfy any Require all granted </Location> # For Let's Encrypt <Location /.well-known/> Satisfy any Require all granted </Location> # For Webdav/carddav/caldav <Location /principals/> Satisfy any Require all granted </Location> # For Webdav/carddav/caldav <Location /SOGo/> Satisfy any Require all granted </Location> # For Webdav/carddav/caldav <Location /groupdav.php> Satisfy any Require all granted </Location> <Location /> AuthType Basic AuthName "Zimbra webmail pre-login" AuthUserFile /etc/apache2/htpasswd/webmail Require valid-user # Exception IPs: no auth needed (for monitoring for instance) Require ip 1.2.3.4 </Location> ErrorLog ${APACHE_LOG_DIR}/webmail.example.net/error.log CustomLog ${APACHE_LOG_DIR}/webmail.example.net/access.log combined </VirtualHost>
I built a sound system for a friend, and programmed Philips RC5 remote control into the microcontroller. I recently ordered this remote:
To program:
- Press TV for 5 seconds until it lights up.
- Type 15526 as code
Here’s just a quick .gitconfig:
[core]
commentchar = %
[tig "color"]
date = cyan black bold
diff-header = cyan black
[tig]
ignore-case = yes
The colors are to make it readable on Windows Git Bash, because the dark blue is impossible to read.
And yes, I still have to set up my dotfiles github stuff.
At work, we had a small embedded PC that had a short in the mainboard. I attempted a fix, mostly for educational purposes. It wasn’t successful, but I wanted to post the method and result anyway. The method I used is elaborately explained on Youtube, so go hunt there for more details.
First I wanted to find the short. I opted for the method of connecting a current limited power supply and slowly cranking up the current till I can feel something heating up. To do so, I had to solder some wires to the input power jack first.
I set the supply to 1V and and started increasing the current. Given that small resistors have a rating of 250 mW, a 0.25 to 0.5 amps, giving 0.25 to 0.5 W, should be safe enough to gently heat up the shorted component. In the end, I had to increase the current to about 1.5 amps to detect a rising temperature.
I removed the cap in question:
Then I replaced it with hack (because I had no SMD parts here):
The short was gone, but it still didn’t power up. Then I gave up.
There is a bug in Konsole with tmux: lines often aren’t cleared properly. To fix, put this in tmux.conf:
set -as terminal-overrides ',*:indn@'
Just some example code for an nginx maintenance page:
server { listen 80; listen 443 ssl; server_name www.example.com; ssl_certificate_key /etc/ssl/temp/wildcard.example.com.key; ssl_certificate /etc/ssl/temp/wildcard.example.com.fullchainchain.crt; location = /503.html { root /srv/http/maintenance/; } location = /logo.png { root /srv/http/maintenance/; } location / { if ($remote_addr != 1.2.3.4) { error_page 503 /503.html; return 503; } } }
Recent Comments