Winter is coming

Which means I have some more time, expect some IPv6 and Cisco related posts in the near future.

Compiling your own PuTTY-CAC with EID support

So we've got electronic ID's, (smartcards) but except for doing our taxes we're not using them so much.

Now under linux there are options to use them for SSH authentication, but these days I'm mostly using Putty on Windows, so I wanted it to work with this client. 

After some searches I found a possible candidate: Putty-cac : http://www.risacher.org/putty-cac/

It works with CAPI, the military uses it, it's opensource and based on Putty. Seems like a win-win-win-win. And for once it also is :-)

So I downloaded the source from https://github.com/risacher/putty-cac/archive/master.zip

compared it with the official putty source from http://svn.tartarus.org/sgt/putty/ to see if nothing suspicious was added to the code. There wasn't, so I could safely build the binary myself.

I remembered that Visual Studio Express was a free C++ compiler from Microsoft, so i download version 2010

So now just open the project and press build right? Wrong! The project was made in Visual studio 6 and apparently you can not convert from visual studio 6 to visual studio 2010. According to the internets you need to first install Visual studio 2008, convert there, save it, open it in Visual studio 2010, convert, save and build.

Here is an overview for those that want to do this:

Start visual C++ 2008

Open Project - c:\temp\putty-cac-master\windows\MSVC\putty.dsw

Convert and open project

Choose File - Save All

Start visual C++ 2010 (and close 2008 ;-)

Open Project - c:\temp\putty-cac-master\windows\MSVC\putty.sln

You'll get a wizard: Next - Next - Finish

Now when you try to build it, it won't. You'll need to add a define 

Open c:\temp\putty-cac-master\windows\winstuff.sh

Add  #define SECURITY_WIN32 at the top of the file

If you compile now you'll get linking errors. You'll need to add 'sc.c' and 'capi.c' to the 'source files'

Now you're finally ready to build your binary. Press build and enjoy your own build putty.

To actually use your EID with this, just follow the CAPI instructions on http://www.risacher.org/putty-cac/

Stuff you'll need to get this working:

Microsoft Windows SDK for Windows 7 and .NET Framework 4

http://www.microsoft.com/en-us/download/details.aspx?id=8279

Visual 2008 express

http://download.microsoft.com/download/E/8/E/E8EEB394-7F42-4963-A2D8-29559B738298/VS2008ExpressWithSP1ENUX1504728.iso

Visual 2010 express

http://go.microsoft.com/?linkid=9709949

PuTTY CAC source

https://github.com/risacher/putty-cac/archive/master.zip

Good luck!

DHCPv6: ISC MAC logging and Cisco relay agent configuration

DHCPv6 server MAC address logging

One of the differences between DHCPv6 and DHCPv4 is that it uses DUID as an identifier instead of a MAC address.

As you probably know, DUID's are for the majority of OS (ie Windows) based on a timestamp suffixed by a MAC address

For some of our internal systems we use a MAC as an identifier, for now we will also be  needing this for IPv6. The default ISC DHCPv6 daemon isn't logging a MAC address by default. One way to have it print out is by adding this to your DHCP config.

option dhcp6.macaddr code 193 = string;
option dhcp6.leased-address code 194 = string;
option dhcp6.macaddr = binary-to-ascii(16, 8, ":", suffix(option dhcp6.client-id, 6));
option dhcp6.leased-address = binary-to-ascii(16,16, ":", substring(suffix(option dhcp6.ia-na, 24),0,16));
log (info, concat ("Lease for ",config-option dhcp6.leased-address, " leased to ", config-option dhcp6.macaddr));

Above code will only work for DUID-LLT and DUID-LL (so not DUID-EN, but I don't know anyone using this at the moment)

More info over DUID on http://tools.ietf.org/html/rfc6355

Other great blogpost about DHCPv6 at http://ipv6friday.org/blog/2011/12/dhcpv6/

DHCPv6 relay configuration on Cisco equipment

Overview of the configuration we're using on our routers.

(1) We're using FE80:: as our IPv6 default gateway everywhere, seems to work for me for now ;) any best practices for this? (update: because of issues with linux and fe80:: (linux responds to fe80:: if it's specified on any link, this has now changed to FE80::1)

(2) Asking the hosts on the subnet to not do SLAAC please, we're asking you nicely.

(3) Letting the hosts know we're managing the config, that they must use DHCPv6.

(4) Just to be sure also set this flag, tell them to use DHCPv6 not only for getting an IP but also for getting e.g. DNS servers

(5) We're the boss on this subnet.

(6) relay DHCPv6 requests to our server and use (7) the loopback as a source for this.

We're using link-local addresses for routing, so if we don't specifiy an source-interface, the relay agents would try to use a link-local address which obviously can not be routed.

Interface vlan42
  ipv6 address FE80::1 link-local (1)
  ipv6 address 2001:0db8:100:4200::1/64
  ipv6 nd prefix default 2592000 604800 no-autoconfig (2)
  ipv6 nd managed-config-flag (3)
  ipv6 nd other-config-flag (4)
  ipv6 nd router-preference High (5)
  ipv6 dhcp relay destination 2001:0db8:0:40::547:1 (6)
  ipv6 dhcp relay source-interface Loopback0 (7)

interface Loopback0
 ipv6 address  2001:0db8:300::63/128

IPv6 logging and Cisco NCS

So you want to deploy IPv6 on your wireless network. 

You want to use SLAAC and you want logging of those SLAAC addresses.

Straight from the horses mouth:

Q: What are IPv6 private addresses and why are they important to track?

A: Private (also known as temporary) addresses are randomly generated by the client when SLAAC address assignment is in use. These addresses are often rotated at a frequency of a day or so, as to prevent host traceability that would come from using the same host postfix (last 64 bits) at all times. It is important to track these private addresses for auditing purposes such as tracing copyright infringement. Cisco NCS records all IPv6 addresses in use by each client and historically logs them each time the client roams or establishes a new session. These records can be configured at NCS to be held for up to a year.

Pasted from <http://www.cisco.com/en/US/products/ps10315/products_tech_note09186a0080bae506.shtml#faqs>

BUT Cisco NCS or PI doesn't make it easy for you, it keeps the addresses in the database somewhere, but as soon as the client has disassociated you can't search for the IPv6 address anymore.  Disassociated IPv4 addresses can be searched though.

So far for IPv6 parity.

Radius to the rescue ? 

But wait, we've got radius accounting, right? You'll see the Framed-IP-Address attribute and this will show you the IPv6 address, right ? RIGHT ?

As we all know, IPv6 is a very new protocol (only about 15 years old), so of course there isn't support for IPv6 in the Framed-IP-Address attribute. There is a draft proposing Framed-IPv6-Address (also very new, only 3 years old).

(See http://tools.ietf.org/html/draft-ietf-radext-ipv6-access-16 for more info)

So, no searching, no IPv6 address logging by Radius.

So far for IPv6 parity again..

But according to the documentation (see above) cisco is recording those addresses somewhere ...

Reports to the rescue!

The workaround is reports:

Go to the report launch pad - Client - Client Sessions

Create a new report:

- report by SSID (or your own favorite source)

- reporting criteria (all SSIDs)

- reporting period select last 7 days

Customize the report, where you can find the most important data field: "Global Unique", this will show you the IPv6 address. Now you can schedule this report weekly and you've got weekly CSV files containing all the necessary information of the users.

If anyone got a better workaround please share!

Cisco Prime Infrastructure NCS 1.2 and the Oracle issue

Continuing my story about NCS diskspace increase.

A few weeks everything went fine, until one day the webserver or the shell wasn't accessible anymore.
In the vmware server console we saw that all of the memory was in use (8GB). So we add some extra memory and rebooted the system. (At that time I didn't made the correlation with increasing the disk space a few weeks ago)

This didn't solve the problem.

But I could log in and memory usage seemed normal. First I went looking in /var/log , you can skip this step, nothing of value can be found here.

The interesting directories are /opt/CSCOlumos/logs/

Last file modified was hm-0-0.log. Containing:

ERROR [system] [HealthMonitorServer] HealthMonitorServer.initHealthMonitor: initHealthMonitor(): can not start DB
INFO  [database] [Thread-17] OracleSchemaUtil dbServerUp(): wcs errorCode = 1034

(Other logfiles were also giving oracle errors)
Closing in on the oracle DB.

Next target /opt/oracle (disclaimer: I know nothing about Oracle), after some searching I discovered the logfile /opt/oracle/diag/rdbms/wcs/wcs/trace/alert_wcs.log which seemed interesting.

ORA-19815: WARNING: db_recovery_file_dest_size of 107374182400 bytes is 100.00% used, and has 0 remaining bytes available.
ORA-19809: limit exceeded for recovery files
ORA-16038: log 1 sequence# 1018 cannot be archived
ORACLE Instance wcs - Archival Error
ARCH: Archival stopped, error occurred. Will continue retrying

This didn't look good. Apparently Oracle has it own internal idea of how big a disk is and how much free space is available. Because we still had 130Gb available.

/dev/mapper/smosvg-optvol
                     249204396  97436636 138909244  42% /opt

With the help of google and a colleague with the necessary oracle knowledge. This was the solution (increasing the recovery db size):

[root@ncs oracle]# su - oracle
[oracle@ncs ~]$ ls
base  coracleenv  dbPasswd.pwd  oracleenv  oraInventory  templates  utils
[oracle@ncs ~]$ . oracleenv
[oracle@ncs ~]$ sqlplus '/as sysdba'
SQL*Plus: Release 11.2.0.2.0 Production 
Copyright (c) 1982, 2010, Oracle.  All rights reserved.
Connected to an idle instance.

SQL> startup nomount
ORACLE instance started.

Total System Global Area 4275781632 bytes
Fixed Size                  2233336 bytes
Variable Size            2986347528 bytes
Database Buffers         1275068416 bytes
Redo Buffers               12132352 bytes
SQL> show parameter db_recovery_file_dest_size

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
db_recovery_file_dest_size           big integer 100G
SQL> alter system set db_recovery_file_dest_size=120G scope=both;

System altered.

SQL> show parameter db_recovery_file_dest_size;

NAME                                 TYPE        VALUE
------------------------------------ ----------- ------------------------------
db_recovery_file_dest_size           big integer 120G
SQL> shutdown
ORA-01507: database not mounted


ORACLE instance shut down.
SQL> quit

Still the error, but now some free space to do something

ORA-19815: WARNING: db_recovery_file_dest_size of 128849018880 bytes is 85.07% used, and has 19241095680 remaining bytes available.

Next ran ncs cleanup on the NCS CLI

ncs/admin# ncs cleanup
===================================================
Starting Cleanup: 
===================================================
Removing all files in backup staging directory
Removing all Matlab core related files
Removing all older log files
Cleaning older archive logs
Cleaning database backup and all archive logs
Cleaning database
Stopping database
Starting database
Starting database clean
Completed database clean
Stopping database
===================================================
Completed Cleanup
===================================================
ncs/admin#

And rebooted the system.

Oracle DB came up normally and NCS was happily running again.

New features added to WPTVdroid

New features recently added to WPTVdroid:

Channel guide (with current and next running show) added when you click long on the selected channel.

Channel preview, go to menu and select "Channels preview", this will briefly connect to every channel and will show you a screenshot of the current program. Just click on the screenshot to go to the selected channel.
(sometimes the screenshot will not be very clear/show artifacts.. haven't found a solution for this yet)
(this feature adds about 10MB to the WPTVdroid installation, if you don't have that much space don't use this version)

Downloads on http://blog.42.be/p/weepeetv.html

Any new features/ideas you would like to have added? Leave a comment or contact me @42wim

Increasing diskspace on Cisco Prime Infrastructure NCS 1.2 "the hard way?"

Somewhere last year PI NCS 1.2 was constantly complaining about disk full errors, although the the disk was only 62% used.

Apparently the complaining starts above 60% because it needs to be able to make a temporary backup on the same disk as it is running the database.

Our datacenter guy increased the disk (200GB) in vmware by increasing it by 100GB.

I wrongly thought this would have fixed the problem and that the system would automatically resize everything.

I was wrong.

So after running root_enable it was possible to login as root (it's just running a linux beneath it)

Below you can see the layout of the system with 62% in use for /opt where the database and temporary backups are located.

Filesystem           1K-blocks      Used Available Use% Mounted on

/dev/mapper/smosvg-rootvol
                       1967952    477860   1388512  26% /
/dev/mapper/smosvg-tmpvol
                       1967952     36460   1829912   2% /tmp
/dev/sda3               988116     17764    919348   2% /storedconfig
/dev/mapper/smosvg-recvol
                         95195      5664     84616   7% /recovery
/dev/mapper/smosvg-home
                         95195      5668     84612   7% /home
/dev/mapper/smosvg-optvol
                     147630356  86745492  53264668  62% /opt
/dev/mapper/smosvg-usrvol
                       5935604    904020   4725204  17% /usr
/dev/mapper/smosvg-varvol
                       1967952     90372   1776000   5% /var
/dev/mapper/smosvg-storeddatavol
                       3967680     74320   3688560   2% /storeddata
/dev/mapper/smosvg-altrootvol
                         95195      5664     84616   7% /altroot
/dev/mapper/smosvg-localdiskvol
                      29583412    204132  27852292   1% /localdisk
/dev/sda1               101086     12713     83154  14% /boot
tmpfs                  4021728   2044912   1976816  51% /dev/shm

How to fix this manually.
So we run fdisk, and we see that the extra 100GB is detected (/dev/sda 322.1GB)
We then add another (4) primary partition which consists of the missing 100GB

# fdisk /dev/sda

The number of cylinders for this disk is set to 39162.
There is nothing wrong with that, but this is larger than 1024,
and could in certain setups cause problems with:
1) software that runs at boot time (e.g., old versions of LILO)
2) booting and partitioning software from other OSs
   (e.g., DOS FDISK, OS/2 FDISK)

Command (m for help): p

Disk /dev/sda: 322.1 GB, 322122547200 bytes
255 heads, 63 sectors/track, 39162 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1          13      104391   83  Linux
/dev/sda2              14       25368   203664037+  8e  Linux LVM
/dev/sda3           25369       25495     1020127+  83  Linux

Command (m for help): n
Command action
   e   extended
   p   primary partition (1-4)

p
Selected partition 4
First sector (409577175-629145599, default 409577175):
Using default value 409577175
Last sector or +size or +sizeM or +sizeK (409577175-629145599, default 629145599):
Using default value 629145599

Command (m for help): p

Disk /dev/sda: 322.1 GB, 322122547200 bytes
255 heads, 63 sectors/track, 39162 cylinders, total 629145600 sectors
Units = sectors of 1 * 512 = 512 bytes

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *          63      208844      104391   83  Linux
/dev/sda2          208845   407536919   203664037+  8e  Linux LVM
/dev/sda3       407536920   409577174     1020127+  83  Linux
/dev/sda4       409577175   629145599   109784212+  83  Linux

Also tag it 8e to be a linux LVM filesystem.
And write the partition table <scary>

Command (m for help): t
Partition number (1-4): 4
Hex code (type L to list codes): 8e
Changed system type of partition 4 to 8e (Linux LVM)

Command (m for help): p

Disk /dev/sda: 322.1 GB, 322122547200 bytes
255 heads, 63 sectors/track, 39162 cylinders, total 629145600 sectors
Units = sectors of 1 * 512 = 512 bytes

   Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *          63      208844      104391   83  Linux
/dev/sda2          208845   407536919   203664037+  8e  Linux LVM
/dev/sda3       407536920   409577174     1020127+  83  Linux
/dev/sda4       409577175   629145599   109784212+  8e  Linux LVM

Command (m for help): v
62 unallocated sectors

Command (m for help): w
The partition table has been altered!

Calling ioctl() to re-read partition table.

WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
The kernel still uses the old table.
The new table will be used at the next reboot.
Syncing disks.

Now reboot the system.
When it boots up, the partition can be used.
Use pvcreate to create the new physical volume.
vgdisplay will still show the old 194.22GB because it's not added yet to smosvg.

# pvcreate /dev/sda4
  Physical volume "/dev/sda4" successfully created

# vgdisplay
  --- Volume group ---
  VG Name               smosvg
  System ID
  Format                lvm2
  Metadata Areas        1
  Metadata Sequence No  12
  VG Access             read/write
  VG Status             resizable
  MAX LV                0
  Cur LV                11
  Open LV               11
  Max PV                0
  Cur PV                1
  Act PV                1
  VG Size               194.22 GB
  PE Size               32.00 MB
  Total PE              6215
  Alloc PE / Size       6215 / 194.22 GB
  Free  PE / Size       0 / 0
  VG UUID               vJcFNu-qPIP-uoKY-KiIu-wKCd-Jj7l-e8cLaV

pvdisplay will show the 2 volumes.

# pvdisplay
  --- Physical volume ---
  PV Name               /dev/sda2
  VG Name               smosvg
  PV Size               194.23 GB / not usable 10.66 MB
  Allocatable           yes (but full)
  PE Size (KByte)       32768
  Total PE              6215
  Free PE               0
  Allocated PE          6215
  PV UUID               ugQzvR-HsdX-cK8u-Sylm-NYAm-FXFX-YXkb6R

  --- Physical volume ---
  PV Name               /dev/sda4
  VG Name               smosvg
  PV Size               104.70 GB / not usable 11.15 MB
  Allocatable           yes
  PE Size (KByte)       32768
  Total PE              3350
  Free PE               3350
  Allocated PE          0
  PV UUID               pEPFVV-AI3e-HLfo-fy5i-TyEN-eRCp-BJiXPS

Now add this volume to /opt and extend it by 50Gb And use resize2fs so that the kernel nows the size changed.

# lvextend /dev/mapper/smosvg-optvol /dev/sda4
# lvextend -L +50G /dev/mapper/smosvg-optvol
  Extending logical volume optvol to 195.34 GB
  Logical volume optvol successfully resized

# resize2fs /dev/mapper/smosvg-optvol
resize2fs 1.39 (29-May-2006)
Filesystem at /dev/mapper/smosvg-optvol is mounted on /opt; on-line resizing required
Performing an on-line resize of /dev/mapper/smosvg-optvol to 51208192 (4k) blocks.
The filesystem on /dev/mapper/smosvg-optvol is now 51208192 blocks long.

A df will noshow 47% in use for /opt
The annoying popups are now gone.

# df
Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/mapper/smosvg-rootvol
                       1967952    477876   1388496  26% /
/dev/mapper/smosvg-tmpvol
                       1967952     36460   1829912   2% /tmp
/dev/sda3               988116     17764    919348   2% /storedconfig
/dev/mapper/smosvg-recvol
                         95195      5664     84616   7% /recovery
/dev/mapper/smosvg-home
                         95195      5668     84612   7% /home
/dev/mapper/smosvg-optvol
                     198417376  88100224 100077796  47% /opt
/dev/mapper/smosvg-usrvol
                       5935604    904020   4725204  17% /usr
/dev/mapper/smosvg-varvol
                       1967952     88744   1777628   5% /var
/dev/mapper/smosvg-storeddatavol
                       3967680     74320   3688560   2% /storeddata
/dev/mapper/smosvg-altrootvol
                         95195      5664     84616   7% /altroot
/dev/mapper/smosvg-localdiskvol
                      29583412    204132  27852292   1% /localdisk
/dev/sda1               101086     12713     83154  14% /boot
tmpfs                  4021728   2044888   1976840  51% /dev/shm

It seems like I fixed everything and that I was in the clear.

Which it was for a couple of weeks until ... to be continued in a later post.

Simple WeepeeTV recorder

Created the record.pl script, with this simple script you can record WeepeeTV streams.

Unfortunately the WeepeeTV streams aren't that stable and ffmpeg (which is used to record) can't append recordings, so sometimes your recordings may not be complete.

How it works

Basically it will create a small shell script in /tmp which will be queued as an at job at the time you specified. This script will be executed at the specified time and will be calling ffmpeg to save the stream to a .mkv file in the outputdirectory you've specified.

Config

To run the script change the variables on top of record.pl

#make sure your ffmpeg supports https
my $FFMPEG="/usr/bin/ffmpeg-weepeetv";
my $ATCMD="/usr/bin/at";
#locations of xml source file
my $XMLFILE="wptv.xml";
#where to write the recordings
my $OUTPUTDIR="/opt/recordings";
#installation directory
my $PATH="/home/wim/wptvscraper";

Usage

record.pl --start=<time date> --duration <hh:mm:ss> --desc <description> --channel <name>

e.g.  perl record.pl --start=15:00 tomorrow --duration 00:30:00 --desc "crappy show" --channel een
records 30 minutes starting tomorrow at 15h on channel 'een'

<time date> can be anything 'at' supports, see 'man at'

Other options:
        --channels (shows available channels)

You can find the code on https://github.com/42wim/wptvscraper

WeepeeTV and VLC (2)

Created createwptvxml.pl and weepeetv.lua (for use with vlc)

createwptvxml.pl is a simple screenscaper perl script (yes it's written in Perl and not in a cool language like Python or Ruby) which logs in on the WeepeeTV site and creates an XML containing the necessary m3u8 stream URLS.

This XML can be used to feed other applications on your local network e.g. for use with VLC (see weepeetv.lua)
The xml file format is as follows:

<?xml version='1.0'?>
<items>
<item>
<title>channel</title>
<thumb>https://weepee.tv/img/channels/channel.jpg</thumb>
<h264>https://weepeetv.my-stream.eu/channel/uuid/channeluuid/stream.m3u8</h264>
</item>
</items>

To run the script change the variables on top of createwptvmxl.pl

## change these variables
my $ACCOUNT="uxxxxxx";
my $PASSWORD="secret";
my $CURL="/usr/bin/curl";
my $XMLFILE="wptv.xml";
my @sort=("een","canvas","bbc1","bbc2","acht","vtm","2be","vitaya","jim","ketnet","bbcentertainment","kanaalz","vtmKzoom,"tvllogosmall","livetv");

You can find the code on github

Android: things learned.

Things learned this past week developing Android apps:

- Cookies: A cookie isn't just a cookie, there are different RFC's which are apparently not implemented everywhere. More info on Cookiepolicy and in this Google search cries of developers trying to workaround broken cookies. Didn't really found a solution using the SDK, so went native and used good old curl

- SSL: Using self-signed certificates on Android is a PITA. (This is good for security ofcourse, but bad if you want to test something on your own development server). After googling and trying out a lot of different solutions, this one was the best/easiest: SSLSelfSigned.java from Nagroid

- Android ports: http://dan.drown.org/android/ is a cool site if you want your android more unixy.

- waitFor(): Don't forget Runtime.getRuntime().waitFor() when running a lot of native apps sequentially :)

- namespaces: Java packages can't have numbers only in the subpackages, e.g be.42.myapp. Booh.

- DNS: Everything is a fscking DNS problem! :-)  DNS resolving for native apps only works when linked to Bionic libc. This doesn't seem to be the case for the stunnel from stunnel.org.

Unofficial WeepeeTV android app (beta)

Found a workaround for the cookie problem by using a native app (Curl).

This allowed me to do the screenscraping with curl and the parsing on android itself.

For the backend I picked MXplayer, the nice thing about it is that it has HLS support, so you'll be able to stream WeepeeTV on older Android versions too. - I got it running on my HTC Wildfire S (although very slowly, no hardware decoding).

Of course this also allows you to have full screen and you're able to change your aspect ratio.

(The not so nice thing about MXplayer is that it doesn't support https urls, so I included stunnel to do the https offloading)

Some screenshots when running on my 7" ICS tablet.

So there still has to be done some polishing, like decent error handling ;-)

But for now it works for me.

If anyone is interested in beta-testing this contact me on twitter (@42wim)