Tech on C&P

The rui.crt for vCenter can be grabbed (assuming your server is 192.168.1.2) by:

openssl s_client -connect 192.168.1.2:443 < /dev/null   |   \
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'   > rui-192.168.1.2.crt

So what’s up with this?  When installing my company’s product, we always go through this goose-chase to find a rui.crt.  Seriously, it’s a pain, we need to dig through a bunch of directories, and in the end, sometimes we’re still scratching our heads.

Our customers just want something they can cut-n-paste.  Of course, the line above only works on non-windows, but I have reduced concern for those trying to fly with wings of lead: there’s a limit as to what you can do with windows.  Accept it.

HUGE Kudos to “Bruno” on StackExchange whose LDAP Certificate response was the key win for this.

A friend asked me about rsync, and I remembered i hadn’t posted my success story; in short, it works, you don’t need to install all of cygwin, but there are weaknesses in the filesystem exposed occasionally.

in AutoFS Mounted FTP via FUSE, I discussed setting up an FTP client as a filesystem to do a client-side pull of FTP content.  That turned out quite vulnerable to our IT guy truncating a connection randomly through the firewall: the data stream didn’t seem to handle timeouts, and any process waiting on a data buffer tends to hang.  Pulling data from a filesystem is a kernel-level thing, so a process cannot really abort a hanging FUSE request.  Bad news.

I later found the simplified route, and installed it on the FTP server:

1. download the ZIP file (cygwin-rsyncd-2.6.8_0.zip)
2. unpack the zip file
3. use rsync.exe, which uses a cygwin.dll
4. that’s it

The rsync.exe is a cygwin binary, and acts very similar to its UNIX-y cousins; instead of installing a huge Cygwin stack, the developer has bundled just the necessary parts of Cygwin into the smaller single DLL, and provides it for rsync’s dependency.  There’s a few other files in there, but as an rsync client, I didn’t need them.

The server has a fairly standard rsync server config, with an rsyncd.conf identifying shared directories as filesystems, and such.  In general, if you have a working rsyncd, you can connect to it from this rsync.exe

Finally, my command line, as an example (my rsync.exe and the DLL are in C:\Program Files\rsync\, hand-installed), is as follows. Note that I’ve broken the line up with back-slashes to show functional groups, but when you run it, you should have it all on one line, without backslashes except the rsync.exe path.

“C:\Program Files\rsync\rsync.exe”  \

–exclude=some-skipped-file’ –exclude=*a_wildcard_pattern* –exclude=backup*z  \

–exclude=backup*.zip –exclude=*.mov –exclude=*.wmv –exclude=.*  \

–delete –delete-excluded –chmod=ugo=rX ‘  \

-avr    /cygdrive/f/path/to/users/library/   server.example.com::library/

The server has a rsyncd.conf config that says:

[ftp-services]
path = /shared/docs/library
uid = libraryowner
gid = docs-ro
comment = Library to share to all remote staff
write only = true
read only = false
list = false
exclude = some-skipped-file’ *a_wildcard_pattern* backup*z
incoming chmod = u=rwX

You’ll notice a few things that are unusual here:

1. I use “-avr” in my rsync command.  ”r” should be redundant with “-a”.  try it without
2. the source and destination paths end in a slash.  I would recommend the same convention.  Be consistent
3. I used to have /library/* as my source, but on a push, deleted directories as direct children of /library/ are gone, no longer found by the “*” wildcard, so there deletion does not sync
4. I have a bunch of –exclude options, some of which are duplicate on the rsyncd.conf entry.  Try removing some once you have yours working.
5. ditto for the chmod — they should act similarly, and setting it on the server sets a consistency and avoids users forgetting
6. my uploads are write-only — I use a different share label in rsyncd.conf for uploads than I do downloads so that those who have the keys to read can’t butcher my stuff.
7. for those crazy A:\, C:\ drive letters, you can use the cygwin special path /cygdrive/a/ or /cygdrive/c/ to map to them without playing the game of escape slashes: “was that 21 backslashes for 10 laters of scripting, or 22?”

1. try adding “–stats” to get a list of what rsync is doing
2. try adding “–max-size=20k” to avoid pushing HUGE files while diagnosing issues
3. if the datestamping is seriously butchered on your windows boxes, try “-c” option to use checksums, understanding it’ll take (much) longer to sync
4. if you habitually rename files, and rsync faithfully re-pushes the file every time, “-y” or “–fuzzy” tells rsync’s receiver to check around for similar files to use for missing files

Good Luck!

When I have to connect to Windows systems, except for the known issues with the en_CA language, CoRD is a great Remote Desktop.  If I could connect using MacOSX-bog-Standard stuff, then clearly this en_CA issue wouldn’t happen… and http://www.smoothblog.co.uk/2012/01/10/configure-vnc-vmware-esxi-5/ will show you how to do that. Continue reading »

A friend asked how to configure a VPN on Kindle Fire; the short answer is that it’s difficult, resisted by the manufacturer, and can go away in a heartbeat.

Continue reading »

In my work, I find that customers need to continually grab some updated labels and data, and re-import. This is tedious.

Worse, it’s in the Windows world, so by comparison, scripting is in a toddler world (small, doesn’t understand, and has tantrums)

I end up using something like the following, understanding that pre-sharing a public SSH key is safer.

@echo off

We’ve edited “brocade-alishow2wwncsv.awk” to accommodate broader formats, but I haven’t been able to check it on a wide range of platforms.

When continuing to build, using automate and autoconf, I ran into this:

checking whether make sets $(MAKE)... yes
checking for gcc... gcc
checking for C compiler default output file name...
configure: error: C compiler cannot create executables
See `config.log' for more details.
make: *** [config.status] Error 77


The config.log shows:


configure:2661: checking for C compiler default output file name
configure:2688: gcc conftest.c >&5
ld: library not found for -lcrt1.10.6.o
collect2: ld returned 1 exit status


There’s a lot of discussion about this, but basically, Apple didn’t check their own tool. Shame on you, Apple.

The fix is simple, embarrassingly so:

sudo ln -s /Developer/SDKs/MacOSX10.6.sdk/usr/lib/crt1.10.6.o /Developer/usr/llvm-gcc-4.2/lib

I would expect that this needs to be updated every release.

Like everyone else, my Xcode install broke the command-line tools I use very often. It seems Apple didn’t feel like testing their command line stuff at all, since it’s glaringly obvious that it fails:


autoreconf: Entering directory `.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal --force
autom4te: m4sugar/m4sugar.m4: no such file or directory
aclocal: /Developer/usr/bin/autom4te failed with exit status: 1
autoreconf: aclocal failed with exit status: 1


I mean “works” and “fails”, polar opposites, clearly no one checked. Shame on you, Apple.

The fix was simple: (Thanks to Nathan Herring’s consideration of ADL’s post in Stack Exchange )


*** /Developer/usr/share/autoconf/autom4te.cfg 2011-10-28 00:15:15.000000000 -0700
--- /Developer/usr/share/autoconf/autom4te.cfg 2011-10-28 00:14:33.000000000 -0700
***************
*** 99,101 ****
begin-language: "Autoconf-without-aclocal-m4"
! args: --prepend-include /usr/share/autoconf
args: --cache=autom4te.cache
--- 99,101 ----
begin-language: "Autoconf-without-aclocal-m4"
! args: --prepend-include /Developer/usr/share/autoconf
args: --cache=autom4te.cache
***************
*** 126,128 ****
begin-language: "Autotest"
! args: --prepend-include /usr/share/autoconf
args: autotest/autotest.m4f
--- 126,128 ----
begin-language: "Autotest"
! args: --prepend-include /Developer/usr/share/autoconf
args: autotest/autotest.m4f
***************
*** 140,142 ****
begin-language: "M4sh"
! args: --prepend-include /usr/share/autoconf
args: m4sugar/m4sh.m4f
--- 140,142 ----
begin-language: "M4sh"
! args: --prepend-include /Developer/usr/share/autoconf
args: m4sugar/m4sh.m4f
***************
*** 152,154 ****
begin-language: "M4sugar"
! args: --prepend-include /usr/share/autoconf
args: m4sugar/m4sugar.m4f
--- 152,154 ----
begin-language: "M4sugar"
! args: --prepend-include /Developer/usr/share/autoconf
args: m4sugar/m4sugar.m4f


My sister plays WoW, and had some latency issues. Rather than go to a higher-speed WAN connection (hey, Wifi-B works OK for most people, but not when you’re raiding) she drilled a bunch of holes in her floors and went direct-wired.

Not to nock direct-attached LAN connections: it’s faster overall, and your latency/jitter in the environment cannot be influenced by a steel stovepipe, or driving a car between your PC and your router. unfortunately, it may have the effect of switching the upstream bottleneck (of data blocks or ACKs stuck behind them) to the router.

Since Wifi bandwidth already exceeds Broadband bandwidth, your speed won’t go up by doing this, but latency improves (insert the first dweeb quoting Linus Torvalds on a “because Linus Sez So! Linus 3:16!” quote here)

Latency can also be a factor of buffering in terms of number of sliding windows, window size, etc. In cases of raw video, you can get better performance (ie less jitter) at the cost of a few dropped frames if you reduce your buffering, for example.

I would take notes on performance (which might be a subjective “feels better” or “feels sluggish”) and then twist a few knobs, as follows. DO NOT change more than one at a time, lest those changes be misattributed to the wrong change.

• reduce net.inet.tcp.sendspace
  • sudo sysctl -w net.inet.tcp.sendspace=250000
  • make sure that kern.ipc.maxsockbuf = (net.inet.tcp.recvspace + net.inet.tcp.sendspace)
  • net.inet.tcp.sockthreshold may need to be set lower (0 to disable) so that sendspace/recvspace are respected earlier on
• reduce net.inet.tcp.mssdflt to 1500 – (20 * wrapper) —
  • in most cases, this is 1480, because 20 bytes overhead for a PPPoE link
  • it’s OK to reduce that further without a huge drop in performance
  • further drop because of WiFi? Not logical, but it does protect your stream in the event of unseen X-over-Y tunneling
  • 1440 is OK on a local LAN, even a gigabit; if all LAN members permit jumboframes (9k), use 8940
• I’m not sure there’s benefit to increasing net.inet.tcp.win_scale_factor above 3 (for gigabit ethernet) because the bottleneck at the router and cablemodem/DSL will only be exacerbated. The congestion should be caught at the desktop to avoid filling the queue at the cable/DSL for outbound traffic.

These reductions are an attempt at reducing queuing at various hops that can reduce the effectiveness of TCP’s congestion algorithm.

If I get other ideas, I’ll add them here.

As always, Netalyzr is a good first-flinch when checking out an unknown network, even if you think you’ve used that net for months.

How to “ping” a system using SNMP… but why? We all know that Ping is an ICMP protocol-based tool, and that firewalls treat different protocols, well, differently.

Clearly, if an ICMP round-trip or timed decay works, then there is some routing, but that doesn’t prove, nor disprove, that SNMP gets through.

The most direct method would be a basic “hi, what’s your name?”:

snmpget -t 5 -r 2 -v 1 -c public 192.168.0.1 1.3.6.1.2.1.1.1.0

In essence: “timeout 5s, retry 2″, “version 1, authentication: community: public”, that’s to be expected, and will flex in different protocols.

The IP address is obvious too; the OID is the “what’s your name?” part:
$ snmpget -t 5 -r 2 -v 1 -c public 192.168.0.1 1.3.6.1.2.1.1.1.0
SNMPv2-MIB::sysDescr.0 = STRING: Linux UberHugeDiskNAS 2.6.32.12 #1594 Fri Feb 25 19:01:31 CST 2011 ppc


The equivalent in sapwalk2.exe?

sapwalk2.exe -v v1 -c public -i 192.168.0.1 -s 1.3.6.1.2.1.1.1 -n 1
#sapwalk: ver 2.7
#Copyright (c) 1994-2006 SIMPLESOFT Inc.
#Address=192.168.0.1, StartOid=1.3.6.1.2.1.1.1
#TimeOut=90000, MaxRetries=3, CompareFlag=0, DebugFlag=0
1.3.6.1.2.1.1.1.0 , OctetString , Linux UberHugeDiskNAS 2.6.32.12 #1594 Fri Feb 25 19:01:31 CST 2011 ppc
#ERROR: Walk terminated as max variable count [1] exceeded.


(too easy!)

After thrashing with sed, awk, and various other attempts to cleanly edit XML, I kept thinking “why don’t I use xpathset”?

xpathset is a tool based on an example in xmlsoft — I’ve got a copy on my cnp-tools project — but it runs on Linux, and my employer uses Windows for all supported installs of its Java-based product. That seems a non-happener.

Sometime last night, I remembered that we are a Java company, and I can compile and share Java code without incurring support issues, additional compiler toolchains, licenses, etc while still leveraging the underlying strength of my coworkers where needed.

From 7pm to 9pm I built XPathSet.java using XPathTool.java to effect behavior similar to xpathset; it took another 4 hours to clean up and document, but it’s available if you would like to re-use it. Although I didn’t open up xpathset while I was working (xpathset based on an xmlsoft example, hence MIT license), I’m certain I reused the same concepts I used in that tool, so I should license as MIT.

• Download: ftp://ftp.chickenandporn.com/kludge/xpath.jar or http://r.chickenandporn.com/xpath.jar
• License: MIT
• example: java -classpath xpath.jar nu.old.xpath.XPathSet -i input.xml -r textfile.txt -f "//ScanTask[@name='scanExample1']/@file" -o output.xml

In this example, we are (and it is sequential!):

1. load input.xml
2. registering “textfile.txt” as the replacement value
3. searching for XPath “//ScanTask[@name='scanExample1']/@file” and replacing all matches for “textfile.txt”
4. writing the result to output.xml

The example I did this for is a filename fix in an Axeda EDD_TEXT.xml file. It is possible to read and write the same file, effecting an in-place edit — with Axeda, there may be a timing issue: I’ve found that the file cannot be written on occasion.

The side-effect of the underlying javax.xml.transform technology used is that the attributes are alphabetized on the way in or out of the DOM, so don’t be too surprised if your attributes are re-ordered. Also, indentation may change.