Uncategorized – Page 2 – the foremind

plex_firewalld-4834168I recently rebuilt my Plex Media Server box as a CentOS 7 VM running on Hyper-V on a Windows Server 2012 setup.

When I installed the rpm and started the service I found that I was unable to load the interface on my desktop. I knew that it was running because I installed netstat and I was able to see the port was open for traffic and I was also able to load the interface locally in lynx on the server.

Read moreCreating a firewalld service for Plex Media Server

As the new year broke upon us just over two weeks ago, I found myself wondering what resolutions I should make to improve myself during the next twelve months.  In the past I have made resolutions about inconsequential things like reading more books or taking more photos.  I even tried to participate in a photo a day and managed to make it through two months before giving up.

Read moreStarting anew in 2015 – a resolution

Starting anew in 2015 – a resolution – the foremind

As the new year broke upon us just over two weeks ago, I found myself wondering what resolutions I should make to improve myself during the next twelve months.  In the past I have made resolutions about inconsequential things like reading more books or taking more photos.  I even tried to participate in a photo a day and managed to make it through two months before giving up.

This year I have decided that the foremost goal should be to live a better life, but what does that really mean?  To many, living a better life can mean that you drop a bad habit (for example, smoking).  To others, living a better life can mean that you start doing something new that would improve your overall quality of life.

I have decided to start simply with the goal of improving my physical and mental well-being.  In late 2014 I started on this path by giving up my habit of smoking.  I was hard and sometimes I still find myself in a situation where I could easily slip backwards into that habit, so I must remain vigilant.  As a follow-up to this physical life improvement, to start out with 2015 I have decided to add a two-day per week exercise regimen.  Not only will my exercise help combat the intake of excess calories from my beloved sweets (cake, cookies, M&M’s and the like), but it will also bolster the improvements to my blood pressure and stress levels that I started with cutting out the cigarettes.

As for the mental improvements, the first step on this path will be a closer and deeper understanding of my relationship with Christ.  The beginning of this journey should start with a deep dive into The Word.  A friend of mine once said that it is impossible to really know how to be a Christ-follower without knowing the words that He said and the context in which they were posited.

Creating a firewalld service for Plex Media Server – the foremind

plex_firewalld-6918354I recently rebuilt my Plex Media Server box as a CentOS 7 VM running on Hyper-V on a Windows Server 2012 setup.

When I installed the rpm and started the service I found that I was unable to load the interface on my desktop. I knew that it was running because I installed netstat and I was able to see the port was open for traffic and I was also able to load the interface locally in lynx on the server.

UPDATE: At some point I rebuilt my server and I came back to this post to grab my config.  It turns out that I had a typo in one place and a missing command in another.  I have edited this post to correct the issues.  I have followed the new steps on several machines and this process does work without adding additional files in: [code]/usr/lib/firewalld/services/[/code]

It turns out that there were two issues:

Disabling SELinux was as simple as editing the configuration file (/etc/selinux/config) and setting the value of selinux to disabled.

Dealing with firewalld was also initially simple as well:

[code language=”bash”]# systemctl stop firewalld[/code]

The problem with this approach is that I was completely disabling my server’s software firewall. The proper approach would be to create a ruleset that allows for the various ports of Plex Media Server to be open in my server’s active firewalld zone.

Fortunately this is relatively easy to accomplish:

  1. Create the new service configuration file in the services directory
    [code language=”bash”]# vi /etc/firewalld/services/plexmediaserver.xml[/code]
  2. Next add the ruleset using the XML format established for firewalld rules[code language=”xml”] plexmediaserver Plex TV Media Server

    [/code]

  3. Save the service file
  4. Reload the firewalld configs [code language=”bash”]# firewall-cmd –reload

    success[/code]

  5. Add the service to your active zone (by default it is the public zone, but I have changed my default zone to be the home zone)
  6. [code language=”bash”]# firewall-cmd –permanent –zone=public –add-service=plexmediaserver
    success[/code]
  7. Restart the firewalld service[code language=”bash”]# systemctl restart firewalld.service[/code]
  8. You can get the defined service list from firewalld as follows: [code language=”bash”]# firewall-cmd –get-services

    RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn plexmediaserver pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind rsyncd samba samba-client smtp ssh telnet tftp tftp-client transmission-client vdsm vnc-server wbem-https[/code]

Now that this is done you should be able to hit the Plex Media Server web interface from a web browser on any other machine in your network.

Software bundling should be opt-in – the foremind

According to the FileZilla FAQ:

FileZilla is free open-source software distributed under the terms of the GNU General Public License free of charge.
Basically this means that everyone, including corporate entities, can use FileZilla, including but not limited to private, educational and commercial use.

When you install it you have to opt out of at least one, if not two, bundling offers.  While many installers provide you the opportunity to install a bundled offer, I really think that if you are releasing the software as open-source under the GPL, then you should embrace the spirit of the license and make the included bundles opt-in.  And why you are at it, maybe you could add a section to the FAQ on what the funds for the bundles and the website sponsors are used for.

filezilla_optout2-300x233-2871193 filezilla_optout-300x233-9059436

Resolutions – 2015 – the foremind

Each year I make a host of resolutions that I fail to keep.  In my post, Starting anew in 2015 – a resolution, I stated some general guidelines that I am going to follow for 2015, so I thought I should lay them out in a bit more detail, as I feel this will help keep me on course:

  1. Read the Bible completely
    I feel that one of the best ways to improve myself as a follower of Christ will be to dive into The Word.  As a guide for this I am using George H. Guthrie’s book Read the Bible for Life.  My chosen translation of the Bible is the New King James version in the form of the Jeremiah Study Bible with commentary and annotations by Dr. David Jeremiah.
  2. Improve my professional career by obtaining two professional certifications
    Many professionals improve their career by attaining a higher degree.  While getting a Master’s degree in CIS or Information Management would be great, I have decided that a better way to improving my professional outlook will be by obtaining some useful and meaningful certifications.
  3. Exercise and Health Improvement
    In my quest for better physical health, this year I will be extending the benefits that I obtained by quitting smoking by exercising regularly as well as improving both my health tracking and my diet.  Too start with I am setting out to exercise at least two days per week after work and to cutting out soda.

Configure OpenDNS for EdgeRouter X – the foremind

Recently I acquired an EdgeRouter X from Ubiquiti Networks to handle the routing and firewall functions of my home network.  This was prompted by a desire to separate each of my network functions to individual components and to get a better piece of equipment than the run-of-the-mill Comcast rental gear.

After configuring the equiment and updating to the latest firmware, I decided to also configure my network DNS to flow through OpenDNS instead of Comcast DNS.  This also allowed me to configure content filtering so that my grandchildren wouldn’t accidentally get shuffled into some crazy website instead of Disney Junior.

The steps to configure this are not quit as simple as on some other setups.  OpenDNS didn’t have any instructions on this and sent inquiring users to the Ubiquiti Community Forums.  Here is the method that I used:

Step One – Open main system configuration

In the main windows of the web interface for the EdgeRouter X, click on the System button towards the bottom left of the window. This will bring up the main system configuration screen.

Step Two – Configure the System Name Server values

Add the first OpenDNS IP address in the visible field.  Click the Add New button to add a second field, then enter the second OpenDNS IP address into that field.  Scroll down to the bottom of the System settings and click the Save button.

Step Three – Login to the command line interface

In the upper right section of the admin interface, click on the CLI button to open a window to the command line interface (aka cli).  When the window opens, login using the same username and password you use for the web interface (Security Tip: please take the time to change the password from the default…)

Step Four – Update the DNS Fowarding

After logging into the cli, you need to enter the following commands:

configure
set service dns forwarding system
commit
save
exit
exit

What this does is to alter the functionality of the built-in DNS forwarding service to use the system name server values instead of the values from your ISP source (in my case an Arris SB6190 cable modem connected to Comcast).

After you have completed the above steps, then you can easily control the content filtering on your network using the OpenDNS tools.

Workaround for HipChat on openSUSE – the foremind

I recently re-built my work laptop to run openSUSE due to continual crashes of GNOME Shell on my Ubuntu GNOME 17.04 spin.  One of the apps that we use at work is Atlassian’s HipChat client.  HipChat has an artifactory repo where you can download the rpm bundle for use on CentOS, openSUSE, Fedora, etc.  After installing the client I was presented with a blank screen on launching the app.

I tried the flag to disable the GPU support, as I had seen that as one solution for a few Ubuntu users, but that wasn’t the solution.

What I was seeing in the logs turned out to not be an issue with the GPU, but an issue with the built-in version of Qt5.  It turns out that there is a bug with respect to running 32-bit sandboxed apps on a 64-bit OS.

/qwebengine/qtwebengine/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc:**CRASHING**:seccomp-bpf failure in syscall 0281

The solution is to add the following value to the arguments passed in on line 4 of the QtWebEngineProcess file located in the /opt/HipChat4/bin directory of the HipChat install:

--disable-seccomp-filter-sandbox

Thanks to the Arch Linux user falstaff_ch for putting this in a comment on the Arch Linux AUR entry page.

ESXi Embedded Host Client Overview – the foremind

As I have begun to see numerous rumors in the VMware forums that the next major release will deprecate the usage of the vSphere thick client (and the simple fact that VMs created using the most recent extensions include features that cannot be managed with the desktop client) I decided to take the plunge and install the HTML5 fling host client on my ESXi host.
The fling can be downloaded from the VMware Labs site. The standard caveat applies to this fling like anything else that you install from VMware Labs:

I also understand that Flings are experimental and should not be run on production systems.

Installation/Removal

There are several ways to install it, but the recommended method is to use the esxcli command from the console of the ESXi host.  Since I have SSH connectivity allowed to my ESXi host, this is the method that I chose.  You can also remove is via the esxcli command from the console as well.

Logging In

After the installation has completed you can access the login screen by visiting the ESXi host welcome page or by appending “/ui” to the end of the FQDN (or IP) of your ESXi host.  If you navigate to the ESXi host welcome page, you will see an additional link “Open the VMware Host Client” that has been added to the screen above the paragraph describing the functionality of VMware vCenter.  vCenter also has a new HTML5 fling, but I as I am running the “free” version of ESXi, I don’t have access to vCenter.

Host Management and Monitoring

The initial view after logging in is of the Host Management functions.  From here you have easy access to create or register VMs, shutdown or restart the host, and additional functions which are in the actions dropdown menu.  As you can see from the following screenshots, the HTML5 interface gives you access to a plethora of management and monitoring screens where you can manage or view the various settings and performance metrics of the ESXi host.

VM Management

The system also gives you complete control of the management and monitoring of the configured virtual machines, of course.  The main VM management screen lists the configured VMs and gives you the ability to create new VMs as well as easy access to the following functions for any VM you select in the list:

  • console
  • power on, power off, suspend

When you select a VM the bottom pane changes to present a summary screen showing a preview of the current console, as well as basic hardware stats on the VM.  When you select a single VM from the list you are also given access to a menu showing the various actions that you can perform on the VM.

Individual VM

When you select a VM from the listing you are presented with a more complete picture of the settings, performance and configuration of the VM.  You are also presented with any notifications regarding the state of the VM (mismatched OS, VMware Tools state, etc.).  You also have the ability to view a series of monitoring graphs similar to what is available for the overall ESXi host.

Storage Management

Selecting Storage from the left column presents a view of the storage subsystem of the ESXi host.  From here you can manage the datastores (the default view), as well as the storage adapters and devices.  Selecting a single item in the datastores list is similar to the way the listing of VMs works, in that you are presented with a summary of the single datastore.  Clicking on the hyperlink to a single datastore opens a view that is specific to the single datastore, confining the information and actions to that datastore.  The monitoring screen for a single datastore is similar to the event listing of the overall system, however it is restricted to events involving only the datastore.

Network Management

The features of the networking subsystem management screen has more in common with the monitoring section of the main ESXi host.  You are presented with a set of tabs from which you can manage the following:

  • port groups
  • vswitches
  • physical and vmkernel NICs
  • TCP/IP stacks
  • firewall rules

Conclusions

While I am most familiar with the “thick” client and the flash-based interface of vCenter, I have found the HTML5 fling replacement for the standalone client to be quite functional.  I am still working on changing the methodology for some functions that I am used to in the standalone client.  I look forward to the improvements to the web client that are on the way.

Windows Tip of the Week: Find your account password expiration date in an AD environment – the foremind

password-4422069

In many cases your enterprise Active Directory will not involve too many domains, in fact it is quite common for an Active Directory implementation to only include one domain.  In some cases, however, when you have the unfortunate situation of having a username in multliple domains with differing policies on password expiration it is useful to be able to know when your password, or that of another user will expire.  Here is an easy way to accomplish this from the command line.

For the current active user

[code language=”bash”] net user /domain

[/code]

For a different user

[code language=”bash”] net user /domain _username_here_

[/code]

Here is an example of the output:

[code language=”bash”] User name afore Full Name Andrew Fore Comment User’s comment Country code 000 (System Default) Account active Yes

Account expires Never

Password last set 1/29/2015 4:38:37 PM Password expires 4/29/2015 4:38:37 PM Password changeable 1/29/2015 4:38:37 PM Password required Yes

User may change password Yes

Workstations allowed All Logon script User profile Home directory

Last logon 3/18/2015 3:27:55 PM

Logon hours allowed All

Local Group Memberships Global Group memberships *VMWare Admins *Domain Users *Staff

[/code]

If you notice there is a lot of useful information regarding the user account here, but of particular interest in my situation was the value of Password expires since I was trying to ensure that I got my password reset prior to the policy setting so that I would not find myself locked out over the weekend that I went on call when the Helpdesk would be closed.

August 28, 2016 – the foremind

January 8, 2017August 28, 2016 by Andrew Fore password-8977701

As part of the rebuild on my Plex Media Server using CentOS 7, I had intended to configure Google Authenticator but hadn’t gotten around to doing it yet.  As I got into the process recently I discovered that many of the steps that I had used when configuring my CentOS 6 Digital Ocean droplet were out of date to the point of uselessness.

I also discovered that most of the guides that I found either relied on the older 1.0 code release which was also outdated or used a unknown RPM repo.  As such I decided to write up the process that I followed to use the code downloaded from the official GitHub repository.

NOTE: If you are doing this in an enterprise setting, it is likely that your company has particular settings and restrictions that you may need to adhere to (e.g., not running things as the root user). Also, please note that all of my examples use the CentOS defaults unless specifically noted.

Read moreConfigure Google Authenticator on CentOS 7

Categories Uncategorized Tags 2FA, CentOS, Google, Security, Tips n Tricks, Uncategorized Leave a comment